Since HijackThis does not remove the AppInit entries, I will help you with that:
First, I'd like you to run TFC which will remove the temp files:
TFC (Temp File Cleaner)
Download
TFC to your desktop
- Open the file and close any other windows.
- It will close all programs itself when run, make sure to let it run uninterrupted.
- Click the Start button to begin the process. The program should not take long to finish its job
- Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
NOTE: some of the entries on the programs below might have been removed by TFC. This is okay- that's why I want you to run it first.
Then
Download and run LSP-Fix
1)[Download LSP-Fix HERE and save to its own directory on the desktop..
2) Double-click on the file to open.
3) In the left hand column, you should see the following files listed:
2425xxx.dll
duhajusa.dll,
2423xxx.dll,
3526xxx.dll,
427xxx.dll,
1135xxx.dll,
1119xxx.dll
[o[Click on each to highlight
[o] Click the arrow in the middle of the screen that points to the right
4)This will move the filename to the right-hand column labeled Remove
5) Do this same thing for each of the files. The xxx in the file may be random numbers.
[o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
6) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
[o]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
7) Close the LSPFix .
Next, run SDFix:
Download SDFix HERE and save it to your Desktop.
- Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
- Attach Report.txt back here
Open HijackThis to 'do system scan only'. Put a
check by each of the following entries if present:
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\rai\ntuser.dll,_IWMPEvents@0
O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\DEFAUL~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\DEFAUL~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
Close all open Windows except HijackThis and click on
"Fix Checked."
Follow by new scan with HijackThis.
NOTE: Attach logs and reports except the new HijackThis log. PASTE that in to your next reply
