That cwsserviceremove was the file I asked you to download earlier. It's a .reg file and not CWShredder. They are all different tools that we use to remove this infection.
The R1 entries may change but just check and fix whatever the new names are.
You should not add anything to the Ignorelist unless you know what you are doing there. We don't recommend adding anything to that list. Go back to HijackThis->Config button->Ignorelist tab and hit the Delete All button.
OK, I will give you a full instructions then (just in case you can't find those other files I asked you to download earlier):
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Download KillBox
http://www.greyknigh...spy/KillBox.exe. Don't run it yet
Download CWShredder at
http://www.greyknigh...hredder.sfx.exe and run it. Uncompress the file and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.
Download and unzip cwsserviceremove to your desktop. use link below:
http://computercops....ownload&id=3002Download AboutBuster http://www.greyknigh...tBuster.sfx.exe and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp!
http://cleanup.stevengould.org/ (Alternate Link if main link don't work -
http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
Go to Start->Run and type in services.msc and hit OK. Then look for
Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tbdou.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tbdou.dll/sp.html#37049
O2 - BHO: Class - {6BCB6F84-2569-09FD-3A31-9F741A38A421} - C:\WINDOWS\system32\sysrb.dll
O2 - BHO: Class - {8F69ADF9-A5DE-30DA-0B84-99655E5A16A4} - C:\WINDOWS\netwt.dll
O4 - HKLM\..\Run: [sdkok.exe] C:\WINDOWS\system32\sdkok.exe
O4 - HKLM\..\RunOnce: [sdkfp32.exe] C:\WINDOWS\sdkfp32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\d3pu.exe (file missing)Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):
C:\WINDOWS\sdkfp32.exe
C:\WINDOWS\system32\sdkok.exe
C:\WINDOWS\system32\sysrb.dll
C:\WINDOWS\netwt.dll
Double click on cwsserviceremove.reg and say yes to merge it to the registry.Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose Yes.
Restart and run a new HijackThis scan. Save the log file and post it here.
I wish I could, but usually I don't do phone support (for obvious reasons). If you want, maybe we can do this using instant message? Do you have AIM, Yahoo, or MSN instant message accounts? We can chat there.