Hijack This log - I'm infected with "Home Search Assistent"

Thanks in advance for your help.
My laptop can no longer access the Internet due to "Home Search Assistent"[sic].

Rick.
Here is the log:
========================================

Logfile of HijackThis v1.98.0
Scan saved at 10:42:09 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\ntab.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\atlsg.exe
C:\WINDOWS\System32\byzzlh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Starfish\TrueSync\TSTool.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hijack This\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pkvgz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pkvgz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jared Fox\Application Data\Mozilla\Profiles\default\is142dxb.slt\prefs.j s)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F535CE1-94CC-4441-B333-607C16F55F70} - C:\WINDOWS\System32\bji.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5CE442C-2593-EF03-7AA2-92CD1F3D4D6F} - C:\WINDOWS\sdkcc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoLaunch] C:\Program Files\Mobility Manager\Mobility Manager\FMM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [atlsg.exe] C:\WINDOWS\system32\atlsg.exe
O4 - HKLM\..\Run: [lrsqzidrbbapx] C:\WINDOWS\System32\byzzlh.exe
O4 - HKLM\..\RunOnce: [ntab.exe] C:\WINDOWS\system32\ntab.exe
O4 - HKLM\..\RunOnce: [d3nl32.exe] C:\WINDOWS\d3nl32.exe
O4 - HKLM\..\RunOnce: [appol.exe] C:\WINDOWS\appol.exe
O4 - HKLM\..\RunOnce: [javacz.exe] C:\WINDOWS\javacz.exe
O4 - HKLM\..\RunOnce: [addjo.exe] C:\WINDOWS\addjo.exe
O4 - HKLM\..\RunOnce: [mfcuu32.exe] C:\WINDOWS\mfcuu32.exe
O4 - HKLM\..\RunOnce: [apimb32.exe] C:\WINDOWS\apimb32.exe
O4 - HKLM\..\RunOnce: [ipib.exe] C:\WINDOWS\ipib.exe
O4 - HKLM\..\RunOnce: [javavq32.exe] C:\WINDOWS\javavq32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\TSTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/226f736a1d844a5...p/RdxIE601.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {3420983E-08A9-4B7C-94A8-960FF3F78333} - C:\WINDOWS\System32\bji.dll
O18 - Filter: text/plain - {3420983E-08A9-4B7C-94A8-960FF3F78333} - C:\WINDOWS\System32\bji.dll

Hello rick3foxes,
Please could you Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

Reboot and post a new HijackThis log along with the report from About:Buster.

__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info

Thanks, Owen.
BTW, I also notice that the laptop no longer has NOTEPAD.exe, and MS Office programs are requesting that certain modules be installed...

It seems that this spyware may have done more than hijack my browser...

Rick.
===========================================

About:Buster Version 1.24
Removed! : C:\WINDOWS\addjo.exe
Removed! : C:\WINDOWS\apimb32.exe
Removed! : C:\WINDOWS\appol.exe
Removed! : C:\WINDOWS\arwiy.dat
Removed! : C:\WINDOWS\atllg32.dll
Removed! : C:\WINDOWS\bfmfsp.dat
Removed! : C:\WINDOWS\bmnldy.dat
Removed! : C:\WINDOWS\bsdchc.dat
Removed! : C:\WINDOWS\csfhkx.dat
Removed! : C:\WINDOWS\cyzhvs.dat
Removed! : C:\WINDOWS\d3nl32.exe
Removed! : C:\WINDOWS\drfcfv.dat
Removed! : C:\WINDOWS\eodyhh.dat
Removed! : C:\WINDOWS\ipib.exe
Removed! : C:\WINDOWS\javacz.exe
Removed! : C:\WINDOWS\javavq32.exe
Removed! : C:\WINDOWS\mfcuu32.exe
Removed! : C:\WINDOWS\pildm.dat
Removed! : C:\WINDOWS\sbwhjw.dat
Removed! : C:\WINDOWS\sdkcc.dll
Removed! : C:\WINDOWS\swhmvs.dat
Removed! : C:\WINDOWS\tmgdec.dat
Removed! : C:\WINDOWS\tuhek.dat
Removed! : C:\WINDOWS\uzriiz.dat
Removed! : C:\WINDOWS\vbkeqy.dat
Removed! : C:\WINDOWS\vobtel.dat
Removed! : C:\WINDOWS\voxpb.dat
Removed! : C:\WINDOWS\vtvqks.dat
Removed! : C:\WINDOWS\xwonxz.dat
Removed! : C:\WINDOWS\yvyray.dat
Removed! : C:\WINDOWS\zrpufo.dat
Removed! : C:\WINDOWS\zyjone.dat
Error Removing! : C:\WINDOWS\System32\atlsg.exe
Removed! : C:\WINDOWS\System32\iphm.exe
Removed! : C:\WINDOWS\System32\javaja.dll
Removed! : C:\WINDOWS\System32\ntab.exe
Removed! : C:\WINDOWS\System32\ohdje.dat
Removed! : C:\WINDOWS\System32\oxtgz.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

About:Buster Version 1.24
Removed! : C:\WINDOWS\System32\atlsg.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done


============================================
Logfile of HijackThis v1.98.0
Scan saved at 12:08:17 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mobility Manager\Mobility Manager\FMM.exe
C:\WINDOWS\System32\byzzlh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Starfish\TrueSync\TSTool.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijack This\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jared Fox\Application Data\Mozilla\Profiles\default\is142dxb.slt\prefs.j s)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6DC9EDDC-D300-4F11-98C7-F74B35B87854} - C:\WINDOWS\System32\bgaeb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5CE442C-2593-EF03-7AA2-92CD1F3D4D6F} - C:\WINDOWS\sdkcc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoLaunch] C:\Program Files\Mobility Manager\Mobility Manager\FMM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lrsqzidrbbapx] C:\WINDOWS\System32\byzzlh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\TSTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/226f736a1d844a5...p/RdxIE601.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {9C8ADBC9-BEE1-4065-B342-A9B216D37033} - C:\WINDOWS\System32\bgaeb.dll
O18 - Filter: text/plain - {9C8ADBC9-BEE1-4065-B342-A9B216D37033} - C:\WINDOWS\System32\bgaeb.dll

Restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JAREDF~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {6DC9EDDC-D300-4F11-98C7-F74B35B87854} - C:\WINDOWS\System32\bgaeb.dll
O2 - BHO: (no name) - {E5CE442C-2593-EF03-7AA2-92CD1F3D4D6F} - C:\WINDOWS\sdkcc.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lrsqzidrbbapx] C:\WINDOWS\System32\byzzlh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {9C8ADBC9-BEE1-4065-B342-A9B216D37033} - C:\WINDOWS\System32\bgaeb.dll
O18 - Filter: text/plain - {9C8ADBC9-BEE1-4065-B342-A9B216D37033} - C:\WINDOWS\System32\bgaeb.dll

Click Fix Checked

Then could you Download (or use the copy you have if you kept it) about:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

Reboot and post a new HijackThis log along with the report from about:Buster.

__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info

Sorry Owen, I think you have your CWS trojans mixed up...


rick3foxes, please follow thes instructions:


Click Here or Here to download FindnFix.exe. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt back here.

Hmm... Is there a disagreement about my next step?
Should I continue on Owen's instructions?
Just in case, here is the log from !log!.bat

Thanks again,
Rick.

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Mon 07/05/2004
9:07pm up 0 days, 9:04

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\WINHL.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINHL.DLL +++ File read error

»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT
WINHL.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
winhl.dll Tue Jun 29 2004 1:02:00p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
apidd32.dll Fri May 21 2004 2:12:36a A.SH. 0 0.00 K
sdkqf32.dll Thu May 6 2004 10:23:20a A.SH. 0 0.00 K
ybhff.dll Mon Jun 7 2004 5:34:26a A.SH. 0 0.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\APIDD32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SDKQF32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WINHL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\YBHFF.DLL


»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... WINHL.DLL .....57344 29.06.2004

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group JARED\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JARED\Jared Fox
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: JARED\Jared Fox

Primary Group: JARED\None



»»»»»»Backups created...»»»»»»
9:08pm up 0 days, 9:06
Mon 07/05/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 07-05-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-05-2004 winkey.reg

»»Performing string scan....
00001150: ?
00001190: WUU vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' i USERProcessHandleQuotai 8
00001310:h vk < H TAppInit_DLLsoutQ C :
00001350:\ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x y on
00001390: the computer. Virtual memory consists of the space in physical
000013D0: memory and on disk. Many of the memory counters monitor paging
00001410:, which is the movement of pages of code and data between disk a
00001450:nd physical memory. Excessive paging, a symptom of a memory sho
00001490:rtage, can cause delays which interfere with all system processe
000014D0:s. Amendment locale DisplayName Memory genericperfctr Avai
00001510:lableBytes < +
00001550:

---------- WIN.TXT
TAppInit_DLLsoutQÀÿÿÿC
--------------
yes
C:\WINDOWS\System32\winhl.dll
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""


**File C:\FINDnFIX\WIN.TXT
 


  

 ÿWUUÐÿÿÿvk  à


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @  °
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  �¸| àÿÿÿvk  X

°ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk  €

=pswapdisk °
ø
8 h * Ðÿÿÿvk  (

R¿TransmissionRetryTimeoutÐÿÿÿvk  €' 
i USERProcessHandleQuotai àÿÿÿ°
ø
8 h * Ð  Øÿÿÿvk < H

TAppInit_DLLsoutQÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x y on the computer. Virtual memory consists of the space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory. Excessive paging, a symptom of a memory shortage, can cause delays which interfere with all system processes. Amendment locale DisplayName Memory genericperfctr AvailableBytes  <  +


Be sure to follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder.
- Locate the "MOVEit.bat" file, Right-Click
on it, select->edit:
The file will open as text file.
-Copy and paste the following line into the 'MOVEit' file, replacing it's contents:

move%WinDir%\System32WINHL.DLL\%SystemDrive%\junkx xx\WINHL.DLL

Be sure to Replace the text in the file with the command above!


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here.

Here goes......




»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

Thu 07/08/2004
7:15pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q822925-Q330994-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»
Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»
\\?\C:\WINDOWS\System32\WINHL.DLL +++ File read error
C:\WINDOWS\System32\WINHL.DLL +++ File read error

»»»»»»» (2) »»»»»»»
**File C:\FINDnFIX\LIST.TXT
WINHL.DLL Can't Open!

»»»»»»» (3) »»»»»»»

C:\WINDOWS\SYSTEM32\
winhl.dll Tue Jun 29 2004 1:02:00p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

C:\WINDOWS\SYSTEM32\
apidd32.dll Fri May 21 2004 2:12:36a A.SH. 0 0.00 K
sdkqf32.dll Thu May 6 2004 10:23:20a A.SH. 0 0.00 K
ybhff.dll Mon Jun 7 2004 5:34:26a A.SH. 0 0.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 0 bytes 0.00 K

»»»»»»» (4) »»»»»»»
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\APIDD32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SDKQF32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WINHL.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\YBHFF.DLL

»»»»»(5)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... WINHL.DLL .....57344 29.06.2004

»»»*»»» Scanning for moved file... »»»*»»»


No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


fgrep: no files found for C:\JUNKXXX\*.*


move%WinDir%\System32WINHL.DLL\%SystemDrive%\junkx xx\WINHL.DLL


File not found - C:\junkxxx\*.*

»»Permissions:
There are no more files.

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x JARED\Jared Fox
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: JARED\Jared Fox

Primary Group: JARED\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\winhl.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs = C:\WINDOWS\System32\winhl.dll

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Notepad check....

C:\WINDOWS\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Thu Aug 29 2002 8:00:00a A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 1:01:52p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: B w vk UDeviceNo
000011D0:tSelectedTimeout 1 5 @ vk ' z
00001210:GDIProcessHandleQuota" 9 0 | vk X
00001250:Spooler2 y e s n vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' i USERProcessHandleQuotai 8
00001310:h vk < H ~ AppInit_DLLs q~ C :
00001350:\ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x ^| w
00001390: | w$ w 1 w wH w w w w\i w6 w,U w4 w w 2 w wpE w
000013D0: w wh w w w( w w w w ' wH w f w^ w w w W w
00001410:6 w w w w* w~ w" w w w wh w w w8 w wf w
00001450: w w w W wX wx wX w R w W w 6 w W w w w" w^ w` w
00001490: w w wh w w w w w w w w w wh wx w w
000014D0:h wj w K w` w w ) w8 w ) w w w w w e w 2 w w w
00001510: r w z wjw wx w w ! wt& wP% w c w ` w wJ w w w w w
00001550

---------- WIN.TXT
TAppInit_DLLsoutQÀÿÿÿC

---------- NEWWIN.TXT
AppInit_DLLs€q~
--------------
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
yes
C:\WINDOWS\System32\winhl.dll
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 7E 00 . 5F 44 4C 4C 73 80 71 7E ......~. _DLLs€q~
**File C:\FINDnFIX\NEWWIN.TXT
 


  

 BžøwÐÿÿÿvk  à


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  @  °
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  �¸| àÿÿÿvk  X

°ºSpooler2ðÿÿÿy e s Èn àÿÿÿvk  €

=pswapdisk °
ø
8 h * Ðÿÿÿvk  (

R¿TransmissionRetryTimeoutÐÿÿÿvk  €' 
i USERProcessHandleQuotai àÿÿÿ°
ø
8 h * Ð  Øÿÿÿvk < H

~ AppInit_DLLs€q~ ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ w i n h l . d l l x ^|÷w¬|÷w$ä÷w°1úwˆÂõwH¼õwø¶õw°²öwÈãõw\iøw6ëøw,Uøw4’ øw¸Ãõw*2ùwˆ¾õwpEúwˆ¼õwºõwhÃõwÈÀõw˜¹õw(ºõw˜Àõwˆµõw ˆÅõw'öwHÄõw˜fùw^îøwÐœøwØ¿õwÞWøw6¦øw¸¶õw¨¶õwºõw*ù ÷w~è÷w"è÷wø½õwè»õwÁõwhµõwñõwˆ·õw8·õwšöwfêøw¨¾õw ¸½õw¿õw¾WøwX»õwx½õwXÄõw Rúw¾WøwØ6üw*Wøwè´õw´ð÷w"ôøw^øøw`›öwèÁõw¸µõwؼõwh·õ w¼õwÀõwè¶õw¸»õwø¿õwØÃõwÅõwè·õw˜·õwh¼õwxÃõw¨µõwh ¶õwjë÷wÐKúw`õöw’÷öwÓ)÷w8¼õw)öwòüöwˆ¹õwˆÁõwÄõwàeù w2úwîõwšÚöwðrøwäzøwjwøwx¿õw˜ÅõwÄ!ùwt&ùwP%ùwÌcùwŽ `ùwˆ…øwJ‰øwä‹øw°Œøwº‡øwè»öwpÄöw»öwTéøwš*õw@LúwK2ú wÚ$úwá)úw˜»õw8ÄõwHÂõw>õöwÌõöwZýöwœùöwºüöwE]÷wæf÷wún÷wi÷w&g÷w‰8ùwäÏõwÖÍõw4ÇõwÂÇõwÿ/úwêóöw°

Sorry about that rick, so many CWS variants get confusing, I got a bit mixed up

Final steps:

-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete the entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


Now run CWShredder
Click Fix, don't just scan. Let it fix everything it asks about.

Next run Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.

Reboot, then post follow up hijackthis log when done!

__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info

As requested!
(after also doing Windows update and Norton AV update)


Logfile of HijackThis v1.98.0
Scan saved at 12:08:16 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\byzzlh.exe
C:\WINDOWS\System32\EXSHOW95.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Starfish\TrueSync\TSTool.exe
C:\WINDOWS\System32\EXSHOW.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
c:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Hijack This\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jared Fox\Application Data\Mozilla\Profiles\default\is142dxb.slt\prefs.j s)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5CE442C-2593-EF03-7AA2-92CD1F3D4D6F} - C:\WINDOWS\sdkcc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lrsqzidrbbapx] C:\WINDOWS\System32\byzzlh.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\TSTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/226f736a1d844a5...p/RdxIE601.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab