Post by: Chr1s on February 16, 2005, 07:55:16 PM
Scan saved at 00:52:27, on 17/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTFMONSS.EXE
C:\WINDOWS\System32\CSRSSW.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\FIREFOX\FIREFOX.EXE
C:\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Flashget\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Flashget\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Flashget\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://ehttp.cc/ (http://\"http://ehttp.cc/\")?
O13 - WWW Prefix: http://ehttp.cc/ (http://\"http://ehttp.cc/\")?
O13 - WWW. Prefix: http://ehttp.cc/ (http://\"http://ehttp.cc/\")?
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0805f8f75f40dc...ip/RdxIE601.cab (http://\"http://software-dl.real.com/0805f8f75f40dccf0b16/netzip/RdxIE601.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en/wowbeta/Si.cab (http://\"http://www.wow-europe.com/signup/en/wowbeta/Si.cab\")
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab (http://\"http://launch.gamespyarcade.com/software/launch/alaunch.cab\")
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Norton Personal Firewall Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Any ideas why i keep having 'Commom Hijacker' come up in my spyware program and my IE is being taken over by a nasty homepage?
Post by: guestolo on February 17, 2005, 10:38:39 PM
Download and save to desktop the Standalone version of
CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Close down all browser windows
Run CWShredder and click ONLY the FIX button
Let it fix what it finds
RESTART your computer
Can you update your version of Hijackthis and save it to your
C:\Downloads\ folder
allow to overwrite the older version
You can get the latest version from my signature below
Post back with a fresh log afterwards
Post by: Chr1s on February 18, 2005, 04:16:06 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Logfile of HijackThis v1.99.1
Scan saved at 09:16:59, on 18/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTFMONSS.EXE
C:\WINDOWS\System32\CSRSSW.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\hijackthis-1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Flashget\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Flashget\FlashGet\fgiebar.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stoolbd.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Flashget\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Flashget\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0805f8f75f40dc...ip/RdxIE601.cab (http://\"http://software-dl.real.com/0805f8f75f40dccf0b16/netzip/RdxIE601.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/signup/en/wowbeta/Si.cab (http://\"http://www.wow-europe.com/signup/en/wowbeta/Si.cab\")
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab (http://\"http://launch.gamespyarcade.com/software/launch/alaunch.cab\")
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: guestolo on February 18, 2005, 12:28:33 PM
UNZIP the files to the folder of your choice.
Open up Notepad
START>>RUN>>type in notepad
Copy and paste these instructions to the empty notepad file and save it to your desktop
Disconnect from the Internet, close out all unnecessary windows
Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these processes if running
C:\WINDOWS\System32\CTFMONSS.EXE
C:\WINDOWS\System32\CSRSSW.EXE
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home (http://\"http://default.home\")
O2 - BHO: VDOMP Class - {A0ED918D-B8E6-4c3d-BD15-1DB1AE9A5DD3} - C:\WINDOWS\wtlbass32.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stoolbd.dll
O4 - HKCU\..\Run: [CTFMONSS] C:\WINDOWS\System32\CTFMONSS.EXE
O4 - HKCU\..\Run: [CSRSSW] C:\WINDOWS\System32\CSRSSW.EXE
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0805f8f75f40dc...ip/RdxIE601.cab (http://\"http://software-dl.real.com/0805f8f75f40dc...ip/RdxIE601.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click to open Killbox.exe and have Notepad open for reference
ALL other windows closed
Click Tools>>Clear Temp files
Copy and paste each of the following bold lines below into the "Full Path of File to Delete" box in Killbox, one at a time
Put a mark next to "Delete on Reboot"
Click the Red button with the X that looks like a stop sign after each
Click "Yes" at the Delete on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat those same steps for all of these files.
=============================================
Full paths of file to delete
C:\WINDOWS\wtlbass32.dll
C:\WINDOWS\stoolbd.dll
C:\WINDOWS\System32\CTFMONSS.EXE
===============================================
After adding the next bold line below into the Full Path of file to delete
===============================================
C:\WINDOWS\System32\CSRSSW.EXE
===============================================
Click "Yes" at the Delete on Reboot prompt.
Click "Yes" at the Pending Operations prompt
Allow the computer to Reboot
Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Post back a fresh hijackthis log
Could you also
Download ServiceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.