i hit a large snag on sat i was browsing around looking for a ribbon sorter of all things for my uniform. When i got hit by a trojan. AVG sees it as startpage.21.bi.
I have ran 6 diff spyware and trojan removers and AVG all up to date and all in safe mode.
Any one ever deal with this and know how to kill it? When it first hit i lost my internet explorer and my desktop. I have control over my desktop again but i know it is still here the active anti spyware is poping up every so often with warnings and blocks. Before whenever i try to run Internet explorer they all go nuts with warnings. So i am backto using netscape i dont thank it can get in to netscape. I havent tried to run it again for fear it may make it worse.

Please help

It won't be easy Plat.

Look at the posts here to get an idea. One person said AdAware with a special plugin may do the job cleaning. It will involve cleaning entries in your windows registry if it doesn't. I have a few more sites I will go to to look at solutions that have worked.

May want to try and save any personal files you want to keep and weigh the invested time in a re-install vs the hit or miss removal. I know I would personally try a couple shots of the step by step removal before throwing in the towel.

Good Luck!

Hopefully someone can offer more encouraging feedback.

']['

"Look at the posts here to get an idea. One person said AdAware with a special plugin." Where ?

i think the only thing that will work is system restore.

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. Exit Ewido. DO NOT scan yet.
Tutorial if needed

Please download and unzip
AboutBuster to a folder.
AboutBuster MUST be updated before you use it.
Check the AboutBuster Tutorial for instructions.
Don't run it yet.





Download CW-Shredder at the link below:
http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

+++++++++++++++++++++++++++++++++++++++++++++++++


Here's the fix:

1. Reboot into safe mode

Important Step
2. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.


3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

mfcda32.exe

If you find the files, click on them, and then click End Process => Exit the Task Manager.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ajuvp.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://mascq.dll/index.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {CD1DA3EE-42C1-88F4-6A75-72D4A81AE705} - C:\WINDOWS\ietm.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...b?rand=20032201
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcda32.exe

Click on Fix Checked and exit HijackThis.

5. Delete the following files if present:
C:\WINDOWS\mfcda32.exe
C:\WINDOWS\system32\ajuvp.dll
C:\WINDOWS\ietm.dll

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

6. Double click on the HSfix and when asked to merge say yes.

7. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

8. Run AboutBuster . This will scan your computer for the bad files and delete them. It will ask to scan the system again, let it. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Run Ewido Security Suite
Do a "Complete System Scan"
Let it clean all files

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot into normal mode and open up Internet Explorer

12. Download and run this online virus scan:<---Important
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"

13. Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did,

if ya get stuck send me a PM with your phone ill try to help ya more

thanks for helping i think i got i it licked.

"Look at the posts here to get an idea. One person said AdAware with a special plugin." Where ?


DOH! I forgot to post the link...it was basicaly alot of posts about what TJ posted.

http://www.geekstogo.com/forum/index.php?showtopic=2644

It was post #8 that mentioned AdAware.


Glad to hear that you beat it.


']['

Great job TJ for helping the boys!