Another About:Blank Trojan Hijacked

TippaMagoo · #1 (**permalink**) 05-07-2005, 10:45 PM

Ok. here is what I've done so far. I hope I haven't made this much worse than it was initially.

It started when I obtained a program called Antivirus Gold form the web, and not by choice. I removed this with the help of I post i found through a google search. in the process I ran hijackthis, ad-aware, spybot S&D, cwshredder, aboutbuster5, killbox, installed ewido security suite, and repaired IE6 via system file checker (sfc /scannow in the run box). The AV gold is gone but the about:blank remains. Here are the logs I Just ran for hijack this and ewido

Logfile of HijackThis v1.99.1
Scan saved at 5:16:42 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James Snow\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jplug.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jplug.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\jplug.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\jplug.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\jplug.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jplug.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\jplug.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3A3A2001-B541-3D27-89C0-16CDF8212342} - C:\WINNT\system32\winjg32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckOD Ls
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfcxk.exe] C:\WINNT\system32\mfcxk.exe
O4 - HKLM\..\Run: [javaxa32.exe] C:\WINNT\javaxa32.exe
O4 - HKLM\..\Run: [d3my.exe] C:\WINNT\system32\d3my.exe
O4 - HKLM\..\Run: [atlis32.exe] C:\WINNT\system32\atlis32.exe
O4 - HKLM\..\Run: [sdknk.exe] C:\WINNT\system32\sdknk.exe
O4 - HKLM\..\Run: [mfczr32.exe] C:\WINNT\mfczr32.exe
O4 - HKLM\..\Run: [winjg32.exe] C:\WINNT\system32\winjg32.exe
O4 - HKLM\..\Run: [crpo.exe] C:\WINNT\crpo.exe
O4 - HKLM\..\Run: [javanh.exe] C:\WINNT\system32\javanh.exe
O4 - HKLM\..\Run: [sdkvk32.exe] C:\WINNT\sdkvk32.exe
O4 - HKLM\..\Run: [apiqs.exe] C:\WINNT\apiqs.exe
O4 - HKLM\..\Run: [syskj32.exe] C:\WINNT\system32\syskj32.exe
O4 - HKLM\..\Run: [addve32.exe] C:\WINNT\addve32.exe
O4 - HKLM\..\Run: [netjv.exe] C:\WINNT\system32\netjv.exe
O4 - HKLM\..\Run: [ntti32.exe] C:\WINNT\ntti32.exe
O4 - HKLM\..\Run: [sysun.exe] C:\WINNT\sysun.exe
O4 - HKLM\..\RunOnce: [mfcuo.exe] C:\WINNT\mfcuo.exe
O4 - HKLM\..\RunOnce: [winku.exe] C:\WINNT\winku.exe
O4 - HKLM\..\RunOnce: [apixm.exe] C:\WINNT\system32\apixm.exe
O4 - HKLM\..\RunOnce: [mfctb32.exe] C:\WINNT\system32\mfctb32.exe
O4 - HKLM\..\RunOnce: [d3rs.exe] C:\WINNT\d3rs.exe
O4 - HKLM\..\RunOnce: [addhf.exe] C:\WINNT\addhf.exe
O4 - HKLM\..\RunOnce: [winvu.exe] C:\WINNT\winvu.exe
O4 - HKLM\..\RunOnce: [mfcyn32.exe] C:\WINNT\mfcyn32.exe
O4 - HKLM\..\RunOnce: [apicf.exe] C:\WINNT\apicf.exe
O4 - HKLM\..\RunOnce: [winsv.exe] C:\WINNT\system32\winsv.exe
O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINNT\apiua.exe
O4 - HKLM\..\RunOnce: [msbu32.exe] C:\WINNT\msbu32.exe
O4 - HKLM\..\RunOnce: [iesl.exe] C:\WINNT\iesl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03827e2b2a8ca20...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C566096D-79E8-4998-9C69-379FF4F0702D}: NameServer = 63.240.76.19,204.127.198.19
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:15:52 PM, 7/5/2005
+ Report-Checksum: 8EF6BC4E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0AA0087A-593D-F517-11A6-C2CC0A729D7B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\James Snow\Cookies\james snow@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\James Snow\Cookies\james snow@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINNT\addhf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\addjh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\apicf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\apidq32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\apish32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\apiua.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\BRVIDEO.INI:eapur -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\cdplayer.ini

gzzj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\d3rs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\d3ye32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\javakq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\jplug.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\mfcbt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\mfcvl32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\mfcyn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\msbu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\ODBC.INI

twtn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\addcj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\apixm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\crwj.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\iewu.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\javanf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\lxwco.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\system32\mfcae.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\mfctb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\sysdm.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\sysii32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\winsv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\UP9ASP.INI:yetggd -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\vbaddin.ini:zdlkh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\winku.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\winvu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:aeymh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:dfghuh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:idfyf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:iykgz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_default.pif:vbxqig -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\__delete_on_reboot__apiqs.exe -> TrojanDownloader.Agent.bq : Cleaned with backup

::Report End

Please HELP!!!

HJThis · #2 (**permalink**) 06-07-2005, 10:28 PM

Hello,TippaMagoo & Welcome

Download About:Buster from the following link. Extract it from zip to your desktop. Open it and check for updates. (don't run the scan yet)

http://www.downloads.subratam.org/AboutBuster.zip

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Open AboutBuster
Click ok then start, then ok and finally yes to start the scan. Allow it to close explorer during the scan. If it asks to do a second scan allow it to do so. When the scan is complete save the log and close the program.

keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file

3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT

4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only

Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9.REBOOT to complete the scan and clear memory.

Finally after running both Spybot SD and Ad-Aware SE, RESCAN with HijackThis and POST your logfile in the same thread using ‘Add Reply’.

HGD

TippaMagoo · #3 (**permalink**) 07-07-2005, 05:35 AM

First off, thank you for you help.

I followed you procedure and here is the Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 12:10:04 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\James Snow\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wzpal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wzpal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wzpal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wzpal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wzpal.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3A3A2001-B541-3D27-89C0-16CDF8212342} - C:\WINNT\system32\winjg32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckOD Ls
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mfcxk.exe] C:\WINNT\system32\mfcxk.exe
O4 - HKLM\..\Run: [javaxa32.exe] C:\WINNT\javaxa32.exe
O4 - HKLM\..\Run: [d3my.exe] C:\WINNT\system32\d3my.exe
O4 - HKLM\..\Run: [atlis32.exe] C:\WINNT\system32\atlis32.exe
O4 - HKLM\..\Run: [sdknk.exe] C:\WINNT\system32\sdknk.exe
O4 - HKLM\..\Run: [mfczr32.exe] C:\WINNT\mfczr32.exe
O4 - HKLM\..\Run: [winjg32.exe] C:\WINNT\system32\winjg32.exe
O4 - HKLM\..\Run: [crpo.exe] C:\WINNT\crpo.exe
O4 - HKLM\..\Run: [javanh.exe] C:\WINNT\system32\javanh.exe
O4 - HKLM\..\Run: [sdkvk32.exe] C:\WINNT\sdkvk32.exe
O4 - HKLM\..\Run: [apiqs.exe] C:\WINNT\apiqs.exe
O4 - HKLM\..\Run: [syskj32.exe] C:\WINNT\system32\syskj32.exe
O4 - HKLM\..\Run: [addve32.exe] C:\WINNT\addve32.exe
O4 - HKLM\..\Run: [netjv.exe] C:\WINNT\system32\netjv.exe
O4 - HKLM\..\Run: [ntti32.exe] C:\WINNT\ntti32.exe
O4 - HKLM\..\Run: [sysun.exe] C:\WINNT\sysun.exe
O4 - HKLM\..\Run: [iekd32.exe] C:\WINNT\system32\iekd32.exe
O4 - HKLM\..\Run: [appqr.exe] C:\WINNT\appqr.exe
O4 - HKLM\..\Run: [apial32.exe] C:\WINNT\system32\apial32.exe
O4 - HKLM\..\Run: [msls32.exe] C:\WINNT\msls32.exe
O4 - HKLM\..\Run: [netdm.exe] C:\WINNT\system32\netdm.exe
O4 - HKLM\..\Run: [netjg.exe] C:\WINNT\netjg.exe
O4 - HKLM\..\Run: [apigc.exe] C:\WINNT\system32\apigc.exe
O4 - HKLM\..\Run: [crdz32.exe] C:\WINNT\system32\crdz32.exe
O4 - HKLM\..\Run: [crpr.exe] C:\WINNT\system32\crpr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03827e2b2a8ca20...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C566096D-79E8-4998-9C69-379FF4F0702D}: NameServer = 63.240.76.19,204.127.198.19
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thanks Again,

JS

HJThis · #4 (**permalink**) 07-07-2005, 01:36 PM

Hi,TippaMagoo

Please once again i have to say move HijackThis to a folder
on C:\Drive like so C:\HJT this way if something should
go wrong we have back-ups

Please read the complete post first, you should copy and paste this post to a new text Document or print it.

New Version 5.0! If don't use it already
Download About:Buster from this following location.
www.malwarebytes.biz/AboutBuster5.zip
unzip it to its own folder
double click to run it, press update (internet connection needed) after he finished, close it, we will use it later

Use Adaware Se 1.06 with latest updates, if not:
Download and install Adaware, uncheck "show help file" and "perform full system scan" at the end of the installing routine, perform the update and close Adaware. You will need it later

Latest Version 2.15, if not:
Download and doubleclick http://cwshredder.net/bin/CWShredder.exe. Than close every window and disconnect from Internet and doubleclick the cwsshredder icon on your Desktop.
Click Fix and then Next, let it fix everything it asks about.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wzpal.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wzpal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wzpal.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wzpal.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wzpal.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {3A3A2001-B541-3D27-89C0-16CDF8212342} - C:\WINNT\system32\winjg32.dll

O4 - HKLM\..\Run: [mfcxk.exe] C:\WINNT\system32\mfcxk.exe
O4 - HKLM\..\Run: [javaxa32.exe] C:\WINNT\javaxa32.exe
O4 - HKLM\..\Run: [d3my.exe] C:\WINNT\system32\d3my.exe
O4 - HKLM\..\Run: [atlis32.exe] C:\WINNT\system32\atlis32.exe
O4 - HKLM\..\Run: [sdknk.exe] C:\WINNT\system32\sdknk.exe
O4 - HKLM\..\Run: [mfczr32.exe] C:\WINNT\mfczr32.exe
O4 - HKLM\..\Run: [winjg32.exe] C:\WINNT\system32\winjg32.exe
O4 - HKLM\..\Run: [crpo.exe] C:\WINNT\crpo.exe
O4 - HKLM\..\Run: [javanh.exe] C:\WINNT\system32\javanh.exe
O4 - HKLM\..\Run: [sdkvk32.exe] C:\WINNT\sdkvk32.exe
O4 - HKLM\..\Run: [apiqs.exe] C:\WINNT\apiqs.exe
O4 - HKLM\..\Run: [syskj32.exe] C:\WINNT\system32\syskj32.exe
O4 - HKLM\..\Run: [addve32.exe] C:\WINNT\addve32.exe
O4 - HKLM\..\Run: [netjv.exe] C:\WINNT\system32\netjv.exe
O4 - HKLM\..\Run: [ntti32.exe] C:\WINNT\ntti32.exe
O4 - HKLM\..\Run: [sysun.exe] C:\WINNT\sysun.exe
O4 - HKLM\..\Run: [iekd32.exe] C:\WINNT\system32\iekd32.exe
O4 - HKLM\..\Run: [appqr.exe] C:\WINNT\appqr.exe
O4 - HKLM\..\Run: [apial32.exe] C:\WINNT\system32\apial32.exe
O4 - HKLM\..\Run: [msls32.exe] C:\WINNT\msls32.exe
O4 - HKLM\..\Run: [netdm.exe] C:\WINNT\system32\netdm.exe
O4 - HKLM\..\Run: [netjg.exe] C:\WINNT\netjg.exe
O4 - HKLM\..\Run: [apigc.exe] C:\WINNT\system32\apigc.exe
O4 - HKLM\..\Run: [crdz32.exe] C:\WINNT\system32\crdz32.exe
O4 - HKLM\..\Run: [crpr.exe] C:\WINNT\system32\crpr.exe

Reboot into safe boot. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter.

Maybe you need to unhide hidden files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Uncheck the box next to "Hide file extensions for known file types”
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then open an Explorer window and delete these Files and Folders

if still there)

C:\WINNT\system32\winjg32.dll<---This file
C:\WINNT\system32\mfcxk.exe<---This file
C:\WINNT\javaxa32.exe<---This file
C:\WINNT\system32\d3my.exe<---This file
C:\WINNT\system32\atlis32.exe<---This file
C:\WINNT\system32\sdknk.exe<---This file
C:\WINNT\mfczr32.exe<---This file
C:\WINNT\system32\winjg32.exe<---This file
C:\WINNT\crpo.exe<---This file
C:\WINNT\system32\javanh.exe<---This file
C:\WINNT\sdkvk32.exe<---This file
C:\WINNT\apiqs.exe<---This file
C:\WINNT\system32\syskj32.exe<---This file
C:\WINNT\addve32.exe<---This file
C:\WINNT\system32\netjv.exe<---This file
C:\WINNT\ntti32.exe<---This file
C:\WINNT\sysun.exe<---This file
C:\WINNT\system32\iekd32.exe<---This file
C:\WINNT\appqr.exe<---This file
C:\WINNT\system32\apial32.exe<---This file
C:\WINNT\msls32.exe<---This file
C:\WINNT\system32\netdm.exe<---This file
C:\WINNT\netjg.exe<---This file
C:\WINNT\system32\apigc.exe<---This file
C:\WINNT\system32\crdz32.exe<---This file
C:\WINNT\system32\crpr.exe<---This file

Now launch About:Buster:
*Click the OK button
*Click the Start button
*Click the OK button
*Click the Yes button.
After the first scan, if it prompts you to do a second pass, allow it to do so.
Please save the log and post it later

Run cwsshredder again

Run Adaware and perform a full system scan

Reboot and Download http://www.ccleaner.com/ccdownload.php, install and run it to delete any files from "temp", "tmp" folders (DON`T USE THE ISSUSES TAB). Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". Just start Ccleaner and click: Run Cleaner. This cleaning should be done on a regular basis.

Download http://lineofire.geekstogo.com/cwsserviceremove.zip
Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
Doubleclick it to merge it in to your registry. Click ok if asked.

Download: DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.

Download http://www.funkytoad.com/download/hoster.zip
Press "Restore Original Hosts" and press "OK"
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!

Post a fresh HijackThis log to check

Missing files replace, control panel...

control.exe - Visit this page: http://216.180.233.162/~merijn/winfiles.html
Download the version of control.exe that corresponds to your operating system.
If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
If you are running Windows 2000 copy it to C:\WINNT\system32.
If you are running Windows XP copy it to C:\WINDOWS\system32.
HOSTS - Download the Hoster.
Unzip Hoster to a convenient folder such as C:\Hoster.
Run Hoster.exe, click Restore Original Hosts and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.
The normal path is C:\Program Files\Spybot - Search & Destroy.
shell.dll - Visit this page.
Download the version that corresponds to your operating system.
If you are running Windows 98 copy it to C:\WINDOWS\System.
If you are running Windows 2000 copy it to C:\WINNT\System32.
If you are running Windows XP copy it to C:\WINDOWS\System32.

HGD

TippaMagoo · #5 (**permalink**) 07-07-2005, 08:40 PM

Hi again HJThis,

After following the above instructions here is the new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 3:35:19 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03827e2b2a8ca20...p/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {69432678-2906-2705-1128-068943397621} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C566096D-79E8-4998-9C69-379FF4F0702D}: NameServer = 63.240.76.19,204.127.198.19
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

You also said you'd like the about:buster log

AboutBuster 5.0 reference file 30
Scan started on [7/7/2005] at [2:05:19 PM]
------------------------------------------------
Removed Stream! C:\WINNT\KB841873.log:qkgve
Removed Stream! C:\WINNT\KB842773.log:iwxmd
Removed Stream! C:\WINNT\KB885835.log:blkgb
Removed Stream! C:\WINNT\KB890859.log:hspytm
Removed Stream! C:\WINNT\KB893066.log:zlzdnw
Removed Stream! C:\WINNT\Prairie Wind.bmp:nghov
Removed Stream! C:\WINNT\Q810833.log:umcuz
Removed Stream! C:\WINNT\Santa Fe Stucco.bmp:ygvgo
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:05:21 PM

I also replaced the missing files but the links ofr the SDHelper.dll and shell.dll did not apear in you above post. I could probably just google them but I don't want to get anything shady and nullify the work you've done.

Thanks,

Jim

HJThis · #6 (**permalink**) 08-07-2005, 03:10 AM

Hi,Jim

Great work no do this here right away please

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

Also get this out of the way

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

& here

Empty your Temp folders as follows:
Open Internet Explorer. You'll get a Page not Found error, but that's normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK
Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.
Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty
Double check to see if the folder C:\DOCUMENTSandSETTINGS\YOUR NAME\LOCALSETTINGS\Temp is empty.
Empty your recyle bin

HGD

HJThis · #7 (**permalink**) 08-07-2005, 03:15 AM

Hey,Jim

Oops

forgot to add this for you get them update all keep them updated

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard - An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
http://www.javacoolsoftware.com/spywareguard.html

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

and this prog here will help keep your PC clean.

popular programs for doing this, is a freeware program Called Crap Cleaner. Crap Cleaner is a single utility that lets you clear your Cookies, Internet Explorer History, Empty the Recycle Bin, Uninstall Programs, Clear Usage Tracks and much more. As well as this, it has an Advanced Registry Scanner. Using a program like this is one of the easiest methods.

You should also think about using Firefox & Mozilla & us IE for updates

Get your Firefox here

Mo who

HGD

TippaMagoo · #8 (**permalink**) 08-07-2005, 04:28 AM

hi HGD,

I cannot thank you enough for your help. You saved my machine from taking a swim in the pool

Cheers,

Jim

HJThis · #9 (**permalink**) 08-07-2005, 06:33 AM

Hi,Jim

Now we don't want that do we then we have to go out
& get a new one moms will get

at us all not good

no problem

HGD