Only the best

Your OS and IE versions are way out of date and repesent a major security risk. AFTER we fix any current problems, you must fix this.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

READ THRU STEPS FIRST AND ASK QUESTIONS BEFORE EXECUTING!
Print or save the below instructions locally to a notepad file (a text file) and then before continuing to execute them, physically unplug your cable to the internet and exit ALL browsers and any other running applications.

Run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (The may or may not restart almost immediately. Just continue on with the steps. But let me know later.)
C:\WINDOWS\ntwo.exe
C:\WINDOWS\system32\mshk32.exe


Now just under the white window in HJT click the Back button (the one just to the right of the Run.. button). Now just leave HJT runnning.

If you have trouble finding this Service you must let me know later.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service (NSS) (or if you cannot find that name, look for the short name: 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.


Now return to your HijackThis window and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service (NSS)

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE. There is a space in front of the 11F so add the space too or HJT will not find the service.

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINDOWS\ntwo.exe
C:\WINDOWS\system32\mshk32.exe

After killing all the above processes, click "Back" (the button all the way to the lower right).
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gyulk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.31.81.22 www.alexa.com alexa.com
O2 - BHO: Class - {49093240-8C68-BEDC-15C1-49AA03992821} - C:\WINDOWS\system32\netez.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {710089CF-87C3-763F-C8F6-5A0DBFD3AEC3} - C:\WINDOWS\javabe.dll
O2 - BHO: Class - {B550CD9A-C0AA-8CB8-A818-1E958A0B3515} - C:\WINDOWS\javabe.dll
O2 - BHO: (no name) - {DA3BE275-64D8-6ABD-3BCA-D3E32D64FEDA} - C:\WINDOWS\javabe.dll
O2 - BHO: Class - {DAA49D52-97DE-8547-EE67-4486D278A768} - C:\WINDOWS\javabe.dll
O2 - BHO: Class - {EFC8DDF6-8521-A505-7712-988F83AE9965} - C:\WINDOWS\javabe.dll
O2 - BHO: Class - {FF5E4D7B-991C-539A-207F-EE7416539411} - C:\WINDOWS\javabe.dll
O4 - HKLM\..\Run: [FHPage] C:\WINDOWS\system32\shdochp.exe home
O4 - HKLM\..\Run: [mshk32.exe] C:\WINDOWS\system32\mshk32.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntwo.exe" /s (file missing)


After clicking Fix, exit HJT.
Now we need to Reset Web Settings (use www.majorgeeks.com for now)
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\system32\shdochp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\mshk32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\shdochp.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\javabe.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\ntwo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINDOWS\system32\shdochp.exe
C:\WINDOWS\system32\mshk32.exe
C:\WINDOWS\system32\shdochp.dll
C:\WINDOWS\javabe.dll
C:\WINDOWS\ntwo.exe

Now reboot into normal mode.

Now get a new HJT log and attach it here. And tell us how these steps went and how things are working.

 

You could not find it because it changed its named to one of the other typical bad services that it uses. It is important that no reboots or power downs occur inbetween posting a HijackThis log and me posting a fix, otherwise things like this will happen. It is now:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntwo.exe (file missing)

So what I need you to do, is post another HJT and then tell me that you understand and will not shutdown or otherwise reboot until I post a new fix and you run the steps in the fix.

Also answer this: did you do the previous steps with your cable to the internet unplugged and with all other applications (especially browsers) closed?

 

First uninstall or disable the protection mechanisms of MS Antispyware as it my block some of these fixes.

READ THRU STEPS FIRST AND ASK QUESTIONS BEFORE EXECUTING!
Print or save the below instructions locally to a notepad file (a text file) and then before continuing to execute them, physically unplug your cable to the internet and exit ALL browsers and any other running applications.

Run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (The may or may not restart almost immediately. Just continue on with the steps. But let me know later.)
C:\WINDOWS\javaic32.exe
C:\WINDOWS\sysaz32.exe

Now just under the white window in HJT click the Back button (the one just to the right of the Run.. button). Now just leave HJT runnning.

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Workstation NetLogon Service (or if you cannot find that name, look for the short name: 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows. Make sure you tell me the results of this step later when you return.

Now return to your HijackThis window and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE: There is a space in front of the 11F so add the space too or HJT will not find the service.

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINDOWS\ntwo.exe
C:\WINDOWS\javaic32.exe
C:\WINDOWS\sysaz32.exe

After killing all the above processes, click "Back" (the button all the way to the lower right).
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xuvxg.dll/sp.html#93256%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {43544B19-A240-DF9B-5CE9-9DC02154188E} - C:\WINDOWS\system32\d3bt32.dll
O4 - HKLM\..\Run: [sysaz32.exe] C:\WINDOWS\sysaz32.exe
O4 - HKLM\..\RunOnce: [javaic32.exe] C:\WINDOWS\javaic32.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntwo.exe (file missing)

After clicking Fix, exit HJT.
Now we need to Reset Web Settings (Please use www.majorgeeks.com for now)
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINDOWS\ntwo.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\javaic32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\d3bt32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\sysaz32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINDOWS\ntwo.exe
C:\WINDOWS\javaic32.exe
C:\WINDOWS\sysaz32.exe
C:\WINDOWS\system32\d3bt32.dll

Let me know if any of the above four files are still found at this point.

Now reboot into normal mode.

Now get a new HJT log and attach it here. And tell us how these steps went and how things are working. Again please DO NOT power down or reboot after posting your log.

 

Have you been fixing the below line? I'm wondering why it keeps reappearing:

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

Quickly fix the below and post a new HJT log:

O2 - BHO: Class - {2149D77F-E32B-6BD8-432F-825A2291D284} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {2788183F-7DE1-3DFE-2816-204EF4CC13BB} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {4BE145FD-66CA-9DA1-D00B-D5A3DD779D5F} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {660D4850-F3DF-A207-C21D-9B7B881BAB10} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {91F19CF2-ADB1-0B48-0DBE-F18D58A48453} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {A30F194C-5202-0A8C-0C06-1199DABBFCAC} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {A4308234-9FA3-20A2-D74B-99296795AED0} - C:\WINDOWS\system32\d3bt32.dll (file missing)
O2 - BHO: Class - {EFC65649-3520-DBFB-AC14-E9655DCA543E} - C:\WINDOWS\system32\d3bt32.dll (file missing)

 

Well it is still there. This backweb stuff is not really true bad malware but most people consider it to be a mild form of spyware used by many companies like Logitech, HP and others. Do you want automatic updates like what is mentioned here:

http://www.bleepingcomputer.com/startups/ldmconf.exe-2605.html

Note this is like advertising (adware).

 

That's upto you! Many people do have the products but do not want this mild malware installed. It is also a waste of system resources.

Yes you can enable system restore (and shut off your PC) and you should work thru the below:

How to Protect yourself from malware!

 

You're welcome! Enjoy the holidays malware free!