Another Hijack this log

Hello,

I have a browser hijacker on my computer. I've cleared cache, cookies, temp files, etc and have run Ad-Aware, Spybot, Norton antivirus, AntiVir and have bought XoftSpy hoping to remove this but nothing has helped. I'm hoping this log will hold a clue as to what is infecting my computer.

Thank you all for your help and for creating a site like this.

The log:

Logfile of HijackThis v1.99.1
Scan saved at 4:34:39 PM, on 11/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
E:\PROGRAM FILES\KODAK PICTURE TRANSFER SOFTWARE\PTS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.5 x.full-tgp.net
O1 - Hosts: 127.0.0.5 counter.sexmaniack.com
O1 - Hosts: 127.0.0.5 autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.awmdabest.com
O1 - Hosts: 127.0.0.5 www.sexfiles.nu
O1 - Hosts: 127.0.0.5 awmdabest.com
O1 - Hosts: 127.0.0.5 sexfiles.nu
O1 - Hosts: 127.0.0.5 allforadult.com
O1 - Hosts: 127.0.0.5 www.allforadult.com
O1 - Hosts: 127.0.0.5 www.iframe.biz
O1 - Hosts: 127.0.0.5 iframe.biz
O1 - Hosts: 127.0.0.5 www.newiframe.biz
O1 - Hosts: 127.0.0.5 newiframe.biz
O1 - Hosts: 127.0.0.5 www.vesbiz.biz
O1 - Hosts: 127.0.0.5 vesbiz.biz
O1 - Hosts: 127.0.0.5 www.pizdato.biz
O1 - Hosts: 127.0.0.5 pizdato.biz
O1 - Hosts: 127.0.0.5 www.awmcash.biz
O1 - Hosts: 127.0.0.5 awmcash.biz
O1 - Hosts: 127.0.0.5 buldog-stats.com
O1 - Hosts: 127.0.0.5 www.buldog-stats.com
O1 - Hosts: 127.0.0.5 fregat.drocherway.com
O1 - Hosts: 127.0.0.5 slutmania.biz
O1 - Hosts: 127.0.0.5 www.slutmania.biz
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.megapornix.com
O1 - Hosts: 127.0.0.5 megapornix.com
O1 - Hosts: 127.0.0.5 www.sp2****ed.biz
O1 - Hosts: 127.0.0.5 sp2****ed.biz
O1 - Hosts: 127.0.0.5 greg-tut.com
O1 - Hosts: 127.0.0.5 www.greg-tut.com
O1 - Hosts: 127.0.0.5 nylonsexy.com
O1 - Hosts: 127.0.0.5 www.nylonsexy.com
O1 - Hosts: 127.0.0.5 vparivalka.com
O1 - Hosts: 127.0.0.5 www.vparivalka.com
O1 - Hosts: 127.0.0.5 iframeprofit.com
O1 - Hosts: 127.0.0.5 www.iframeprofit.com
O1 - Hosts: 127.0.0.5 topsearch10.com
O1 - Hosts: 127.0.0.5 www.topsearch10.com
O1 - Hosts: 127.0.0.5 statscash.biz
O1 - Hosts: 127.0.0.5 www.statscash.biz
O1 - Hosts: 127.0.0.5 vxiframe.biz
O1 - Hosts: 127.0.0.5 www.vxiframe.biz
O1 - Hosts: 127.0.0.5 crazy-toolbar.com
O1 - Hosts: 127.0.0.5 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.5 topcash.biz
O1 - Hosts: 127.0.0.5 www.topcash.biz
O1 - Hosts: 127.0.0.5 loadcash.biz
O1 - Hosts: 127.0.0.5 www.loadcash.biz
O1 - Hosts: 127.0.0.5 txiframe.biz
O1 - Hosts: 127.0.0.5 www.txiframe.biz
O1 - Hosts: 127.0.0.5 procounter.biz
O1 - Hosts: 127.0.0.5 www.procounter.biz
O1 - Hosts: 127.0.0.5 advadmin.biz
O1 - Hosts: 127.0.0.5 www.advadmin.biz
O1 - Hosts: 127.0.0.5 trafficbest.net
O1 - Hosts: 127.0.0.5 www.trafficbest.net
O1 - Hosts: 127.0.0.5 besthvac.com
O1 - Hosts: 127.0.0.5 www.besthvac.com
O1 - Hosts: 127.0.0.5 traff4.com
O1 - Hosts: 127.0.0.5 www.traff4.com
O1 - Hosts: 127.0.0.5 ambush-script.com
O1 - Hosts: 127.0.0.5 www.ambush-script.com
O1 - Hosts: 127.0.0.5 beehappyy.biz
O1 - Hosts: 127.0.0.5 www.beehappyy.biz
O1 - Hosts: 127.0.0.5 tracktraff.cc
O1 - Hosts: 127.0.0.5 www.tracktraff.cc
O1 - Hosts: 127.0.0.5 allcount.net
O1 - Hosts: 127.0.0.5 www.allcount.net
O1 - Hosts: 127.0.0.5 onedayoffer.biz
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: KODAK Picture Transfer Software.lnk = E:\PROGRAM FILES\KODAK Picture Transfer Software\pts.exe
O4 - Startup: BOINC Manager.lnk = F:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games...ploader_v6.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://209.67.146.68/ePlayer/2_0/ACNePlayer.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.com/media/6364d3/g...ameloader6.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Welcome to DAL,

Disable SpyHunter for the time being

Go into add/remove and remove:

weatherBug---if the free version


Please download hoster from the link below.

http://www.funkytoad.com/download/hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

NEXT

Next,
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.

Next,
Please download CWShredder from here( this is the older version), then exit no run yet http://www.thatcomputerguy.us/downloads-cat4.html

Scan with Hijackthis again and put a check next to these items and making sure all browser windows are closed before clicking fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Fix these below if still there

O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.5 x.full-tgp.net
O1 - Hosts: 127.0.0.5 counter.sexmaniack.com
O1 - Hosts: 127.0.0.5 autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.autoescrowpay.com
O1 - Hosts: 127.0.0.5 www.awmdabest.com
O1 - Hosts: 127.0.0.5 www.sexfiles.nu
O1 - Hosts: 127.0.0.5 awmdabest.com
O1 - Hosts: 127.0.0.5 sexfiles.nu
O1 - Hosts: 127.0.0.5 allforadult.com
O1 - Hosts: 127.0.0.5 www.allforadult.com
O1 - Hosts: 127.0.0.5 www.iframe.biz
O1 - Hosts: 127.0.0.5 iframe.biz
O1 - Hosts: 127.0.0.5 www.newiframe.biz
O1 - Hosts: 127.0.0.5 newiframe.biz
O1 - Hosts: 127.0.0.5 www.vesbiz.biz
O1 - Hosts: 127.0.0.5 vesbiz.biz
O1 - Hosts: 127.0.0.5 www.pizdato.biz
O1 - Hosts: 127.0.0.5 pizdato.biz
O1 - Hosts: 127.0.0.5 www.awmcash.biz
O1 - Hosts: 127.0.0.5 awmcash.biz
O1 - Hosts: 127.0.0.5 buldog-stats.com
O1 - Hosts: 127.0.0.5 www.buldog-stats.com
O1 - Hosts: 127.0.0.5 fregat.drocherway.com
O1 - Hosts: 127.0.0.5 slutmania.biz
O1 - Hosts: 127.0.0.5 www.slutmania.biz
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.megapornix.com
O1 - Hosts: 127.0.0.5 megapornix.com
O1 - Hosts: 127.0.0.5 www.sp2****ed.biz
O1 - Hosts: 127.0.0.5 sp2****ed.biz
O1 - Hosts: 127.0.0.5 greg-tut.com
O1 - Hosts: 127.0.0.5 www.greg-tut.com
O1 - Hosts: 127.0.0.5 nylonsexy.com
O1 - Hosts: 127.0.0.5 www.nylonsexy.com
O1 - Hosts: 127.0.0.5 vparivalka.com
O1 - Hosts: 127.0.0.5 www.vparivalka.com
O1 - Hosts: 127.0.0.5 iframeprofit.com
O1 - Hosts: 127.0.0.5 www.iframeprofit.com
O1 - Hosts: 127.0.0.5 topsearch10.com
O1 - Hosts: 127.0.0.5 www.topsearch10.com
O1 - Hosts: 127.0.0.5 statscash.biz
O1 - Hosts: 127.0.0.5 www.statscash.biz
O1 - Hosts: 127.0.0.5 vxiframe.biz
O1 - Hosts: 127.0.0.5 www.vxiframe.biz
O1 - Hosts: 127.0.0.5 crazy-toolbar.com
O1 - Hosts: 127.0.0.5 www.crazy-toolbar.com
O1 - Hosts: 127.0.0.5 topcash.biz
O1 - Hosts: 127.0.0.5 www.topcash.biz
O1 - Hosts: 127.0.0.5 loadcash.biz
O1 - Hosts: 127.0.0.5 www.loadcash.biz
O1 - Hosts: 127.0.0.5 txiframe.biz
O1 - Hosts: 127.0.0.5 www.txiframe.biz
O1 - Hosts: 127.0.0.5 procounter.biz
O1 - Hosts: 127.0.0.5 www.procounter.biz
O1 - Hosts: 127.0.0.5 advadmin.biz
O1 - Hosts: 127.0.0.5 www.advadmin.biz
O1 - Hosts: 127.0.0.5 trafficbest.net
O1 - Hosts: 127.0.0.5 www.trafficbest.net
O1 - Hosts: 127.0.0.5 besthvac.com
O1 - Hosts: 127.0.0.5 www.besthvac.com
O1 - Hosts: 127.0.0.5 traff4.com
O1 - Hosts: 127.0.0.5 www.traff4.com
O1 - Hosts: 127.0.0.5 ambush-script.com
O1 - Hosts: 127.0.0.5 www.ambush-script.com
O1 - Hosts: 127.0.0.5 beehappyy.biz
O1 - Hosts: 127.0.0.5 www.beehappyy.biz
O1 - Hosts: 127.0.0.5 tracktraff.cc
O1 - Hosts: 127.0.0.5 www.tracktraff.cc
O1 - Hosts: 127.0.0.5 allcount.net
O1 - Hosts: 127.0.0.5 www.allcount.net
O1 - Hosts: 127.0.0.5 onedayoffer.biz

Again make sure all browser windows are closed and click FIX


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Now run the CWShredders, just pick one and click fix to run it when that one is done do the same for the other please.

Reboot normal mode and post a new HJT log please.

__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.