Please copy these instructions to notepad or print them out. We'll be working in Safe Mode a little later and you may not be able to access the internet.
Please read all the instructions carefully and query anything you're unsure of before starting.
OK, lets get cracking on this, it may take a long time. Regardless of what steps you took before posting your log, please follow all procedures.
Tools you will need to download before starting:-
CWShredder
LSP-Fix.zip
Disable System Restore
Click Start >
Right click on My Computer> Properties> System Restore
and tick the box that says 'Turn off System Restore'
Run an online virus scan at
TrendMicro using the 'Autoclean' option and an
Online Trojan Scan. Let them fix everything they find.
When you get the all clear,
turn System Restore back on.
Click Start >
Right click on My Computer> Properties> System Restore
and
Untick the box that says 'Turn off System Restore'
Then go to
Start> All Programs> Accessories> System Tools> System Restore
and create a new Restore Point.
Re-enable NAV.
Please now run
CWShredder.
Close all windows & browsers
click
Fix not just ('Scan Only'),
Let it fix everything it finds.
Go to Add/Remove Programs and delete any of the following if found:-
WAST
MSIETS
Internet 404
Tools for Internet Explorer
Search Toolbar
Web Search Toolbar
Win-Tools Easy Installer
DownloadWare
CtxPls
CPR
Wintools
Wintools Easy Installer
Wintools for Internet Explorer
POP
Then doublecheck to make sure you haven't missed any.
Please be sure to have an internet connection while doing this as some cannot be removed without it.. If any of these are still present after the first fix, we may have to remove them manually.
To clear up the remnants of one of the above.
Open a DOS command prompt windows (from Start->Programs->Accessories), and enter the following command lines one by one:-
cd "%WinDir%\System"
regsvr32 /u "..\bxs5.dll"
regsvr32 /u "..\bxxs5.dll"
Exit DOS window.
Then open the registry. Please be careful in here. Only delete what instructed to. Click 'Start', choose 'Run', and enter 'regedit'
Before you edit the registry, you should make a backup
Click ' FILE\Export Registry File'.
Call it
REGBACKUP and save it on your desktop.
Now navigate to the following key:-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
and delete 'Bxxs5' or 'Bxsx5' if found.
Exit registry.
Run
Ad-Aware SE again but configure it as per the Ad-Aware Tutorial instructions. (link in my signature below)
Go and make yourself a cuppa and take 5 
Now close all windows and browsers, run HJT again and check mark the following making sure you don't miss any:-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} -
C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvyel32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [yesdtma] C:\WINDOWS\System32\hpgxnvwm.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rjojsc.exe] C:\WINDOWS\rjojsc.exe
O4 - HKLM\..\Run: [dzpfrc] C:\WINDOWS\System32\dzpfrc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\Cache\cxtpls_loader.exe"
/HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [mnktmb] C:\WINDOWS\mnktmb.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [rF9R36T] icwcd.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [aoq5RWf7g] icarage.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
Click FIX CHECKED
Please now run
LSPFix.zip
Disconnect from the Internet and close all Internet Explorer Windows.
Check the
"I know what I'm doing" button and move all instances of
aklsp.dll from the left panel to the right panel, then click
‘Finish’
(If you lose your internet connection please run HijackThis again and check that 'aklsp.dll' is still the file name at the end of the below blue entry in HJT. If it's changed, follow LSPFix instructions using this new file name in the fix)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
Now Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.
Reboot into
Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.
Go to C:\WINDOWS and delete the following files/folders if found:-
bsx32
AdRoar.dll
rjojsc.exe
bxxs5.dll
wast2.exe 2
ARUpdate.exe
conscorr.exe
mnktmb.exe
wupdt.exe
Go to C;\WINDOWS\system32 and delete the following files:-
kalvyel32.exe
stcloader.exe
saie.exe
winupdtl.exe
hpgxnvwm.exe
dzpfrc.exe
Cache (containing cxtpls_loader.exe)
icwcd.exe
icarage.exe
Go to C:\Program Files and delete the following folders:-
MySearch
SED
Web_Rebates
AutoUpdate
AdDestroyer
Go to C:\PROGRA~1 and delete the following folders:-
Toolbar
VBOUNCER
ezula
Web Offer
Go to C:\PROGRA~1\COMMON~1 and delete the following folder:-
WinTools
Clean out temporary files:
* Go to Start | Run | type
cleanmgr | OK
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the
ONLY things checked.
* Let it scan your system for files to remove.
* Press OK to remove them.
Open HijackThis again.
Click 'Config' (bottom right) > Misc Tools > Open Hosts File Manager
Delete everything inside apart from
127.0.0.1 Localhost
Exit HijackThis.
VERY IMPORTANT:
You Need to Update Windows and IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.
Please go to
Windows Update, download and install the Service Pack and ALL Critical Updates.
Reboot and post a fresh log detailing any problems you encountered.
