I just did a scan only on CWShredder- it is still finding CW HomeSearch

Ok I got some sleep :-D, Can you boot into safe mode and run ewido? Don't worry about updating it, if you sownloaded it yesterday, they updated it Monday. And when the siren goes off, dont worry it is supposed to do that, but you dont want to hear it everytime it goes off that is why I say put a check in the "fix all box"

Yeah, sleep is good- me too , now I'm bright and shiny again :-).

OK- How do I get to safe mode. On my old computer I could reboot and hit one of the Function keys and it would do it, but I guess wiuth a Dell it's different? Do you know what the process is for that?

OK- got into safe mode. Ewido did the same thing there. Starts a scan, but after about a second it blinks off the screen :banghead: - no chance to see what it found or to remove anything. Then when I open it back up again, I can not find a log or anything telling me what it found on the last scan- just that it is finding 4 oblects each time. Should I uninstall and re-install ewido?

I went ahead and sent a request to Ewido support - could be 24hrs to a reply.

The about_blanc infection has returned again , lets give it another go.
And once youre in safemode , don't reboot untill all of the instructions are finished.

Make sure you still have these apps and Download the new apps:


HSfix.zip and unzip it to your desktop but do not use it yet.
Download about:Buster from the link below (i uploaded an up to date version again)
Do NOT use it yet
Cwshredder, install it, don't use it yet.

new:
cwsserviceremove.zip and unzip it to your desktop but do not use it yet.
Hoster.zip ,unpack but don't use it yet.
Ccleaner ,install it but again don't use it yet.


Ensure hidden files and folders are still set to show and syatem restore is till turned off



Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called Remote Procedure Call (RPC) Helper.watchout: There are 2 windows services almost called the same , don't disable:

Remote Procedure Call (RPC) Service
or:
Remote Procedure Call (RPC) Locator Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.



Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: Remote Procedure Call (RPC) Helper
Click OK.

While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.
And do the same for "cwsserviceremove.reg"

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

apiue32.exe
mfcnx.exe


Now find and delete these files,

C:\WINDOWS\system32\cuxuf.dll
C:\WINDOWS\msue32.dll
C:\WINDOWS\system32\croq.dll
C:\WINDOWS\system32\mfcnx.exe
C:\WINDOWS\apiue32.exe

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

C:\WINDOWS\apiue32.exe
C:\WINDOWS\system32\mfcnx.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cuxuf.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2D8F6DAA-6B2C-D070-B2CB-029A9926F9E4} - C:\WINDOWS\msue32.dll
O2 - BHO: Class - {E16ABF8F-83C2-19DB-8289-DC73827B4EE6} - C:\WINDOWS\system32\croq.dll
O4 - HKLM\..\Run: [mfcnx.exe] C:\WINDOWS\system32\mfcnx.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F??#????`I) - Unknown owner - C:\WINDOWS\apiue32.exe

The following step is important as you may have several malware files in your temp directories.

Now run Ccleaner.

Now navigate to the updated c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open.
Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

After that run Hoster and select "restore original hosts"

Now reboot,and run hijackthis again and post a fresh log along with the about buster log

Oops , forgot to upload the updated about_buster :oops: Here it is: