TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Matrix on December 05, 2005, 10:06:58 PM

Title: Desktop Hijacked
Post by: Matrix on December 05, 2005, 10:06:58 PM

I cant get this off my desktop.I cant change the background.I had 7 viruses got rid of all of them. Ran ad aware ver 6 and still cant change it.
here is the log from hijack this\
Logfile of HijackThis v1.99.1
Scan saved at 9:57:01 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ddrptui.exe
C:\windows\system32\LyKidwrs.exe
C:\windows\system32\OdrkcMo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Documents and Settings\btsamdxp2600\Local Settings\Temporary Internet Files\Content.IE5\WDYR4XUZ\SFUninstaller[1].exe
C:\Documents and Settings\btsamdxp2600\Local Settings\Temporary Internet Files\Content.IE5\WDYR4XUZ\SFUninstaller[1].exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\sdkhg32.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nettk32.exe
C:\WINDOWS\system32\crbf32.exe
C:\Program Files\downloaded\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kdrda.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/custserv/cs...r_consumer.html (http://\"https://www-secure.symantec.com/custserv/cs_register_consumer.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll
O2 - BHO: Class - {CDD74C7B-AF77-7456-5366-3D4E3A448F23} - C:\WINDOWS\crvo.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RFWDL] C:\documents and settings\btsamdxp2600\local settings\temp\RFWDL.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [wFFW38P] ddrptui.exe
O4 - HKLM\..\Run: [LyKidwrs] C:\windows\system32\LyKidwrs.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OdrkcMo] C:\windows\system32\OdrkcMo.exe
O4 - HKLM\..\Run: [LyKidwrs.exe] C:\windows\system32\LyKidwrs.exe
O4 - HKLM\..\Run: [OdrkcMo.exe] C:\windows\system32\OdrkcMo.exe
O4 - HKLM\..\Run: [AutoLoaderwswq1KSQXQXU] "C:\WINDOWS\system32\ddrptui.exe" /HideDir /HideUninstall /PC="CP.WILD2" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [crbf32.exe] C:\WINDOWS\system32\crbf32.exe
O4 - HKLM\..\RunOnce: [sdkhg32.exe] C:\WINDOWS\sdkhg32.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab (http://\"http://spystream.babenet.com/cabs/videox.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab (http://\"http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab (http://\"http://secure2.comned.com/signuptemplates/securelogin-devel.cab\")
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/Standar...wActiveXCab.CAB (http://\"http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB\")
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab (http://\"http://lg.home.microsoft.com/search/lobby/searchsettings.cab\")
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\nettk32.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\btsamdxp2600\Local Settings\Temporary Internet Files\Content.IE5\WDYR4XUZ\SFUninstaller[1].exe"  service (file missing)

Please help

Title: Desktop Hijacked
Post by: guestolo on December 06, 2005, 12:29:06 AM

Can you do the following for me please

First
Access your add/remove programs and remove if found
P2P networking remove Altnets if prompted

Also Remove if found
Media Access
NavHelper

finally remove Ad-Aware 6
Ad-aware isn't malware, but we must update you too the latest version

Reboot your computer

Back in windows, I need you too download the following tools

Download and save to desktop the
Standalone version of CWShredder (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\")
Don't run this yet

Also, can you do the following
==Create a New folder on your desktop, call it Aboutbuster
(Right click an empty spot on the desktop and select NEW>>FOLDER)
Download to desktop About:Buster 5.1 (http://\"http://www.malwarebytes.org/ccount/click.php?id=1\")
by RubbeR Ducky
Unzip it to that new folder

Open the Aboutbuster folder and Run About:buster.exe
Click the Update button
Allow to update

Close down your browser
Run About:Buster.exe again
This time
Click the Begin Removal button
Can you please run this scan twice
When it's done it will produce a log in the Aboutbuster folder called
Ab logfile.txt
I'll need to see the log later

Afterwards, Open CWShredder.exe and click on the FIX button
Let it fix what it finds

Reboot your computer

Back in windows

Download and Install the free version of Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
 or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process

Back in windows

Post back a fresh hijackthis log
Could you also post the log in the About:Buster folder>>Ab logfile.txt

Title: Desktop Hijacked
Post by: Matrix on December 06, 2005, 08:16:29 AM

Thanks for the help guestolo
I did everything you said and I have my background back.I thought my ad aware was updated I check it everyday and it said no updates available. The new version found 91 ! here is the logs you requested below.
Logfile of HijackThis v1.99.1
Scan saved at 8:10:16 AM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\crbf32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\sdkhg32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\downloaded\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lvchy.dll/sp.html#17702
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lvchy.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lvchy.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lvchy.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lvchy.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/custserv/cs...r_consumer.html (http://\"https://www-secure.symantec.com/custserv/cs_register_consumer.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {8605880F-6BF7-6B34-055A-28982FA6CC5C} - C:\WINDOWS\system32\apicw32.dll
O2 - BHO: Class - {B26ECB3E-7E8F-69E6-589D-7741C9257677} - C:\WINDOWS\system32\sysbw32.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RFWDL] C:\documents and settings\btsamdxp2600\local settings\temp\RFWDL.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [LyKidwrs] C:\windows\system32\LyKidwrs.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OdrkcMo] C:\windows\system32\OdrkcMo.exe
O4 - HKLM\..\Run: [LyKidwrs.exe] C:\windows\system32\LyKidwrs.exe
O4 - HKLM\..\Run: [OdrkcMo.exe] C:\windows\system32\OdrkcMo.exe
O4 - HKLM\..\Run: [crbf32.exe] C:\WINDOWS\system32\crbf32.exe
O4 - HKLM\..\Run: [apicw32.exe] C:\WINDOWS\system32\apicw32.exe
O4 - HKLM\..\Run: [ipwi32.exe] C:\WINDOWS\ipwi32.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall60.trendmicro.com/housecall/xscan60.cab\")
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab (http://\"http://spystream.babenet.com/cabs/videox.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab (http://\"http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab (http://\"http://secure2.comned.com/signuptemplates/securelogin-devel.cab\")
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/Standar...wActiveXCab.CAB (http://\"http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB\")
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab (http://\"http://lg.home.microsoft.com/search/lobby/searchsettings.cab\")
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkhg32.exe"  /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

And the ab log file
AboutBuster 5.1, reference file 33
Scan started on [12/6/2005] at [7:36:06 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\sqciy.dat
Removed File! : C:\WINDOWS\system32\twrwk.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:37:12 AM


AboutBuster 5.1, reference file 33
Scan started on [12/6/2005] at [7:37:43 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:38:42 AM

Title: Desktop Hijacked
Post by: guestolo on December 07, 2005, 10:37:49 PM

Very sorry for the delay, can you do the following for me please

==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")


After Ewido is installed and updated
Can you post back a fresh hijackthis log please, don't reboot again till I see the new log
We'll get rid of the other critters for you
Coincidence, I couldn't make it to the forum yesterday, my buddy had your same problem
Hee, hee>>He also had other problems but It's been awhile since I have seen this version of About:Blank
It's still no problem getting rid of it  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />