1. Reboot to Safe Mode
2. Check these entries in HijackThis and press Fix:

   R3 - Default URLSearchHook is missing
   O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\gegre.dll
   O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
   O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
   O4 - HKLM\..\Run: [Microsoft Service] C:\WINDOWS\system32\syshost.exe
   O4 - HKLM\..\Run: [Microsoft IDCN] C:\WINDOWS\system32\mshe1p.exe
   O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
   O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
   O4 - HKLM\..\Run: [Norton Personal Firewall] jah.exe
   O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
   O4 - HKLM\..\Run: [Win Update Microsoft] winmode.exe
   O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\nerocheck.exe /i
   O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
   O4 - HKLM\..\Run: [Windows Secure Connection] winsc.exe
   O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe
   O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe
   O4 - HKLM\..\Run: [CWETQ] C:\WINDOWS\aidwaew.exe
   O4 - HKLM\..\RunServices: [Norton Personal Firewall] jah.exe
   O4 - HKLM\..\RunServices: [Win Update Microsoft] winmode.exe
   O4 - HKLM\..\RunServices: [Windows Secure Connection] winsc.exe
   O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
   O4 - HKCU\..\Run: [Norton Personal Firewall] jah.exe
   O4 - HKCU\..\Run: [Win Update Microsoft] winmode.exe
   O4 - HKCU\..\Run: [Windows Secure Connection] winsc.exe
   O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
   

3. Delete these files and folders:
   • C:\WINDOWS\System32\P2P Networking\
   • C:\WINDOWS\System32\canada.exe
   • C:\WINDOWS\aidwaew.exe
   • C:\WINDOWS\gaSrve.exe
   • C:\WINDOWS\gegre.dll
   • C:\WINDOWS\nerocheck.exe
   • C:\WINDOWS\shch.exe
   • C:\WINDOWS\svchost.exe
   • C:\WINDOWS\system32\mshe1p.exe
   • C:\WINDOWS\system32\syshost.exe
   • C:\windows\system32\eliteyrl32.exe
   • c:\windows\system\BHOmod.dll
   • jah.exe
   • winmode.exe
   • winsc.exe
4. Start->Run->"%temp%"->Delete all the files and folders there.
5. Reboot normally and post another log.

My Malware Removal Instructions

Perform the following:

1. Disable System Restore ^*
2. Perform an online virus scan ^{* * * *} .
3. Download, update, and run these tools:
   • Spybot Search & Destroy ^*
   • Lavasoft Adaware ^*
   • CWShredder ^*
   Repeat as necessary until clean.
4. If you still experience problems after doing these steps, download HijackThis ^* and post a log to this forum.
5. To protect against reinfection, download and use these:
   If at all possible, I recommend that you use alternative software, particularly web browsers and email clients:
   • Web Browsers ^{* * *}
   • Email Clients ^{* *}
   If this is not a viable option, or for additional protection, use these:
   • Javacool's SpywareBlaster ^*
   • Javacool's SpywareGuard ^*
   • Malware-blocking HOSTS file ^*
   • IE-SPYAD ^* , Internet Explorer only
6. Optionally Reenable System Restore ^* . Better alternatives to System Restore.

If you encounter any broken links, please inform me of them. Also note that these links direct through my web server to allow me to keep them up-to-date or post additional info. If you are unable to use the links above, click the stars instead, which are a direct link to the page in question.

• Reply or follow-up to this message

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum