Uninstall Shopping Wizard, Home Search Assistent, Search Extender

Make sure you have about:Buster downloaded from the READ ME FIRST and install it into its own folder. And make sure you have UPDATED the database for about:buster. You will see when you run it. Just run it and check for updates. Do not run a scan right now.

Please read thru all of the steps first and ask any questions you may have before beginning. Make sure you understand all steps before starting. Also if you did not leave your PC running after posting your logs, this procedure probably will not work.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested. Make sure you read thru ALL of these steps and understand them before starting. If you have to stop midway, you will be starting ALL over again from posting new logs to me working a totally new fix up.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\SYSTEM\CRJT.EXE
C:\WINDOWS\SYSTEM\D3EB32.EXE
C:\WINDOWS\SYSTEM\SYSAR32.EXE
C:\WINDOWS\SYSTEM\MSGE.EXE
C:\WINDOWS\SYSTEM\D3BV32.EXE
C:\WINDOWS\SYSTEM\WINDO32.EXE
C:\WINDOWS\SYSTEM\CRNJ32.EXE
C:\WINDOWS\SYSTEM\IPVF32.EXE
C:\WINDOWS\SYSTEM\ATLYN32.EXE
C:\WINDOWS\SYSTEM\ATLUE32.EXE
C:\WINDOWS\SYSTEM\MSGH32.EXE
C:\WINDOWS\SYSTEM\NETGW32.EXE
C:\WINDOWS\SYSTEM\SYSBT32.EXE
C:\WINDOWS\SYSTEM\IEIU32.EXE
C:\WINDOWS\SYSTEM\SYSKX32.EXE
C:\WINDOWS\SYSTEM\MSEF.EXE
C:\WINDOWS\CRWI32.EXE
C:\WINDOWS\SYSTEM\APPMA32.EXE
C:\WINDOWS\SYSTEM\NTJK.EXE
C:\WINDOWS\ATLNV.EXE
C:\WINDOWS\JAVAFX32.EXE
C:\WINDOWS\CRCY.EXE
C:\WINDOWS\SYSTEM\NTYS.EXE
C:\WINDOWS\CRWI32.EXE
C:\WINDOWS\SYSTEM\CRNJ32.EXE
C:\WINDOWS\CRCY.EXE



After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you make sure you have exited all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL DIRECTED TO DO SO):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrqfw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8E8B1F25-4CAA-C9AE-CFE9-AF4A518E8A52} - C:\WINDOWS\MSLJ32.DLL
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRAM FILES\SPYBLOCS\SpyBlocs.exe
O4 - HKLM\..\Run: [ADDYA32.EXE] C:\WINDOWS\SYSTEM\ADDYA32.EXE
O4 - HKLM\..\Run: [NTYS.EXE] C:\WINDOWS\SYSTEM\NTYS.EXE
O4 - HKLM\..\Run: [IEWM32.EXE] C:\WINDOWS\IEWM32.EXE
O4 - HKLM\..\RunServices: [APITG32.EXE] C:\WINDOWS\APITG32.EXE /s
O4 - HKLM\..\RunServices: [CRJT.EXE] C:\WINDOWS\SYSTEM\CRJT.EXE /s
O4 - HKLM\..\RunServices: [D3EB32.EXE] C:\WINDOWS\SYSTEM\D3EB32.EXE /s
O4 - HKLM\..\RunServices: [SYSAR32.EXE] C:\WINDOWS\SYSTEM\SYSAR32.EXE /s
O4 - HKLM\..\RunServices: [MSGE.EXE] C:\WINDOWS\SYSTEM\MSGE.EXE /s
O4 - HKLM\..\RunServices: [D3BV32.EXE] C:\WINDOWS\SYSTEM\D3BV32.EXE /s
O4 - HKLM\..\RunServices: [WINDO32.EXE] C:\WINDOWS\SYSTEM\WINDO32.EXE /s
O4 - HKLM\..\RunServices: [CRNJ32.EXE] C:\WINDOWS\SYSTEM\CRNJ32.EXE /s
O4 - HKLM\..\RunServices: [IPVF32.EXE] C:\WINDOWS\SYSTEM\IPVF32.EXE /s
O4 - HKLM\..\RunServices: [ATLYN32.EXE] C:\WINDOWS\SYSTEM\ATLYN32.EXE /s
O4 - HKLM\..\RunServices: [CRYS.EXE] C:\WINDOWS\CRYS.EXE /s
O4 - HKLM\..\RunServices: [JAVAUW.EXE] C:\WINDOWS\JAVAUW.EXE /s
O4 - HKLM\..\RunServices: [NETRY.EXE] C:\WINDOWS\NETRY.EXE /s
O4 - HKLM\..\RunServices: [ATLUE32.EXE] C:\WINDOWS\SYSTEM\ATLUE32.EXE /s
O4 - HKLM\..\RunServices: [NETQF32.EXE] C:\WINDOWS\NETQF32.EXE /s
O4 - HKLM\..\RunServices: [MSGH32.EXE] C:\WINDOWS\SYSTEM\MSGH32.EXE /s
O4 - HKLM\..\RunServices: [NETGW32.EXE] C:\WINDOWS\SYSTEM\NETGW32.EXE /s
O4 - HKLM\..\RunServices: [SYSBT32.EXE] C:\WINDOWS\SYSTEM\SYSBT32.EXE /s
O4 - HKLM\..\RunServices: [IEIU32.EXE] C:\WINDOWS\SYSTEM\IEIU32.EXE /s
O4 - HKLM\..\RunServices: [MFCOA32.EXE] C:\WINDOWS\MFCOA32.EXE /s
O4 - HKLM\..\RunServices: [APIWG.EXE] C:\WINDOWS\APIWG.EXE /s
O4 - HKLM\..\RunServices: [JAVAFY.EXE] C:\WINDOWS\JAVAFY.EXE /s
O4 - HKLM\..\RunServices: [SYSKX32.EXE] C:\WINDOWS\SYSTEM\SYSKX32.EXE /s
O4 - HKLM\..\RunServices: [MSEF.EXE] C:\WINDOWS\SYSTEM\MSEF.EXE /s
O4 - HKLM\..\RunServices: [CRWI32.EXE] C:\WINDOWS\CRWI32.EXE /s
O4 - HKLM\..\RunServices: [APPMA32.EXE] C:\WINDOWS\SYSTEM\APPMA32.EXE /s
O4 - HKLM\..\RunServices: [NTJK.EXE] C:\WINDOWS\SYSTEM\NTJK.EXE /s
O4 - HKLM\..\RunServices: [ATLNV.EXE] C:\WINDOWS\ATLNV.EXE /s
O4 - HKLM\..\RunServices: [JAVAFX32.EXE] C:\WINDOWS\JAVAFX32.EXE /s
O4 - HKLM\..\RunServices: [CRCY.EXE] C:\WINDOWS\CRCY.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


- Then exit HJT after clicking FIX
- now run about:Buster and as soon as it finishes allow it to do the secondary scan. Then move onto the next steps.

- Now we are going to use the floppy disk I had you make to boot to an MS DOS prompt to continue working on fixing this problem. So put the floppy disk into the floppy drive and then continue to the next step.

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute and then power up your PC with the floppy disk. This floppy should setup an enviroment path that allows the attrib command to be found.

- When it boots you will be at the command prompt (full screen) with a prompt A:\> this means you are on the floppy drive. Enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message). I put in some comments, in purple. They are not part of the commands for you to type. They are just for help.

Now in command prompt window do the following:
copy c:\windows\command\attrib.exe
c:
cd C:\WINDOWS\SYSTEM

attrib -s -h -r ADDYA32.EXE
del ADDYA32.EXE

Now repeat the above attrib and del commands for each of the below filenames:
APPMA32.EXE
ATLUE32.EXE
ATLYN32.EXE
CRJT.EXE
CRNJ32.EXE
D3EB32.EXE
SYSAR32.EXE
MSGE.EXE
D3BV32.EXE
WINDO32.EXE
CRNJ32.EXE
IPVF32.EXE
MSGH32.EXE
NETGW32.EXE
SYSBT32.EXE
IEIU32.EXE
SYSKX32.EXE
MSEF.EXE
SYSKX32.EXE
SYSAR32.EXE
NTYS.EXE
NTJK.EXE

Now continue to delete a bunch of files in another folder:

cd C:\WINDOWS

attrib -s -h -r APITG32.EXE
del APITG32.EXE

Now repeat the above attrib and del commands for each of the below filenames:

APIWG.EXE
ATLNV.EXE
CRCY.EXE
CRWI32.EXE
CRYS.EXE
CRWI32.EXE
JAVAFX32.EXE
JAVAFY.EXE
IEWM32.EXE
JAVAUW.EXE
MSLJ32.DLL
NETRY.EXE
NETQF32.EXE
MFCOA32.EXE

- Now remove the floppy disk from your floppy drive and press CTRL-ALT-DEL simultaneously to reboot your PC to Windows.

- The first thing I want you to do is to run about:Buster one more time.

- Then immediately reboot one more time.

- Now reconnect your cable to the internet and open one Internet Explorer browser session and then close it.

- Now get a new HJT log to post

- Now connect back here and post the new HJT log and tell me how all the steps went.

If the hijacker is still present, do not reboot or power down after posting your log.

 

Then you must have rebooted after posting your previous log because the processes do not go away by themselves.

The process is long because you have a very bad infection.

I do not know what you mean. What is "the ff filess"? Are you saying you did not find the above lines?

They should be there unless about:buster removed them. Did you save the about:buster log? Or did you observe what it said when it was scanning?

 

Are you sure you have System Restore disabled?
Did you have any problems along the way?
Did you actually boot using the Startup floppy disk?
Did any of the DOS commands give error messages?
Did you pull the power plug as requested?
What did about:buster find? Save the log next time.

You need to provide more feedback on what happened while running the procedure.

Since your PM said you will be shutting down your PC, you will need to post a new HijackThis log. But before you even do that, we are going to have to get your Windows Updates. You are way out of date with your IE version and this is not helping matters. Also you need a firewall. Follow the steps below:

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

Go to: Windows Update and download all of your updates.

Download and install the following firewall: ZoneAlarmFree


After doing the above, post a new HijackThis log and if you want to get this fixed, you MUST NOT reboot or power down. I do not need a Startdreck log unless requested.

 

You need to post the HJT log as requested so I can see where you are at.

You must have a firewall. They only block what you tell them to block. Firewalls do not stop people from using attachments on their emails.

 

You currently show no R0 or R1 lines related to the hijacker. Does your log still look that way?

You do show a load problems still related to the hijacker. It seems as though we are having a problem effectively running all these steps. These clean up procedures always worked before.

 

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\SYSTEM\ADDIB32.EXE
C:\WINDOWS\APPTQ.EXE
C:\WINDOWS\APPTT32.EXE
C:\WINDOWS\SYSTEM\MFCXQ32.EXE
C:\WINDOWS\SYSTEM\MFCBD.EXE
C:\WINDOWS\JAVAEP32.EXE
C:\WINDOWS\IPLD.EXE
C:\WINDOWS\SYSTEM\CRLG.EXE
After killing all the above processes, check the process manager of HijackThis again. Did any of them come back or did any new ones appear?

 

Please download the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet.

Print these instructions or save locally. You must not be connected to the internet during this. And you MUST NOT have any browsers running.

Okay disconnect from the Internet now and close all browser windows. Close all all other unnecessary programs too.

Now run Pocket Killbox.

Enter each of the following filenames into the box for Full Path of File to Delete. Select Delete on reboot and end explorer shell before deleting.T hen press the Delete button (red circle with the white X), when it says reboot now, say no and continue to paste the lines in turn and follow the above procedure every time, DO NOT let it reboot your PC.

C:\WINDOWS\SYSTEM\ADDIB32.EXE
C:\WINDOWS\APPTQ.EXE
C:\WINDOWS\APPTT32.EXE
C:\WINDOWS\SYSTEM\MFCXQ32.EXE
C:\WINDOWS\SYSTEM\MFCBD.EXE
C:\WINDOWS\JAVAEP32.EXE
C:\WINDOWS\IPLD.EXE
C:\WINDOWS\SYSTEM\CRLG.EXE

Now exit Killbox without allowing a reboot.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [NTYS.EXE] C:\WINDOWS\SYSTEM\NTYS.EXE
O4 - HKLM\..\Run: [CRLG.EXE] C:\WINDOWS\SYSTEM\CRLG.EXE
O4 - HKLM\..\RunServices: [ADDIB32.EXE] C:\WINDOWS\SYSTEM\ADDIB32.EXE /s
O4 - HKLM\..\RunServices: [APPTQ.EXE] C:\WINDOWS\APPTQ.EXE /s
O4 - HKLM\..\RunServices: [APPTT32.EXE] C:\WINDOWS\APPTT32.EXE /s
O4 - HKLM\..\RunServices: [MFCXQ32.EXE] C:\WINDOWS\SYSTEM\MFCXQ32.EXE /s
O4 - HKLM\..\RunServices: [MFCBD.EXE] C:\WINDOWS\SYSTEM\MFCBD.EXE /s
O4 - HKLM\..\RunServices: [JAVAEP32.EXE] C:\WINDOWS\JAVAEP32.EXE /s
O4 - HKLM\..\RunServices: [IPLD.EXE] C:\WINDOWS\IPLD.EXE /s
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.


Now reboot your PC. Come back here with a new HJT log and tell me how things are looking. Do not reboot after posting your HJT log.

 

You're welcome! Finally clean! See the below thread to help keep you that way. You already have some of the items (like a firewall and antivirus - make sure you stay updated).

How to Protect yourself from malware!

 

I'm not an advocate of using TeaTimer and neither are many other people. It can be a huge resource hog. But if you have been using it without any issues, feel free to do so.

I prefer to just use Spybot's SDhelper and Immunize feature and use another program like SpySweeper for blocking and detecting.

 

Where ever you are surfing, you need to stop going there. You have more infections. PC Security starts with you.

Have your completed ALL of the steps in the How to protect thread?

Why was Ad-Aware SE running when you obtained a HijackThis log.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE

f you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [OGAGENTL] C:\WINDOWS\SYSTEM\OGAGENTL.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\RunServices: [MSGK.EXE] C:\WINDOWS\MSGK.EXE /s

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\OGAGENTL.exe
C:\WINDOWS\MSGK.EXE
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner

Now reboot in normal mode and post a new HJT log. And tell us how things are working.