Author Topic: Hijacked! (Read 1173 times)

Presents · « **on:** May 31, 2005, 04:54:11 PM »

log from hjt:

Logfile of HijackThis v1.99.1
Scan saved at 5:29:32 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Setup\rsrc\demo32.exe
D:\Setup\rsrc\demo32.exe
C:\WINDOWS\system32\javaua.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FCDF9B34-55AD-0116-483A-6ED53C743179} - C:\WINDOWS\system32\sdkiz32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntgi32.exe] C:\WINDOWS\ntgi32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [javaua.exe] C:\WINDOWS\system32\javaua.exe
O4 - HKLM\..\RunOnce: [ipwf.exe] C:\WINDOWS\system32\ipwf.exe
O4 - HKLM\..\RunOnce: [mfcri32.exe] C:\WINDOWS\system32\mfcri32.exe
O4 - HKLM\..\RunOnce: [systc32.exe] C:\WINDOWS\system32\systc32.exe
O4 - HKLM\..\RunOnce: [addre32.exe] C:\WINDOWS\system32\addre32.exe
O4 - HKLM\..\RunOnce: [applw.exe] C:\WINDOWS\applw.exe
O4 - HKLM\..\RunOnce: [iekj32.exe] C:\WINDOWS\system32\iekj32.exe
O4 - HKLM\..\RunOnce: [sdkfh.exe] C:\WINDOWS\system32\sdkfh.exe
O4 - HKLM\..\RunOnce: [ntpd32.exe] C:\WINDOWS\ntpd32.exe
O4 - HKLM\..\RunOnce: [ntlv32.exe] C:\WINDOWS\ntlv32.exe
O4 - HKLM\..\RunOnce: [appqp.exe] C:\WINDOWS\appqp.exe
O4 - HKLM\..\RunOnce: [javaol32.exe] C:\WINDOWS\javaol32.exe
O4 - HKLM\..\RunOnce: [apiun.exe] C:\WINDOWS\system32\apiun.exe
O4 - HKLM\..\RunOnce: [crvn32.exe] C:\WINDOWS\crvn32.exe
O4 - HKLM\..\RunOnce: [wingk.exe] C:\WINDOWS\wingk.exe
O4 - HKLM\..\RunOnce: [javaxz32.exe] C:\WINDOWS\system32\javaxz32.exe
O4 - HKLM\..\RunOnce: [apilb.exe] C:\WINDOWS\apilb.exe
O4 - HKLM\..\RunOnce: [apijy.exe] C:\WINDOWS\system32\apijy.exe
O4 - HKLM\..\RunOnce: [winoa32.exe] C:\WINDOWS\system32\winoa32.exe
O4 - HKLM\..\RunOnce: [netqg.exe] C:\WINDOWS\netqg.exe
O4 - HKLM\..\RunOnce: [addea32.exe] C:\WINDOWS\addea32.exe
O4 - HKLM\..\RunOnce: [netwo32.exe] C:\WINDOWS\netwo32.exe
O4 - HKLM\..\RunOnce: [apiss32.exe] C:\WINDOWS\apiss32.exe
O4 - HKLM\..\RunOnce: [apigz.exe] C:\WINDOWS\system32\apigz.exe
O4 - HKLM\..\RunOnce: [winjx.exe] C:\WINDOWS\winjx.exe
O4 - HKLM\..\RunOnce: [d3qr.exe] C:\WINDOWS\system32\d3qr.exe
O4 - HKLM\..\RunOnce: [apity.exe] C:\WINDOWS\system32\apity.exe
O4 - HKLM\..\RunOnce: [crlu32.exe] C:\WINDOWS\crlu32.exe
O4 - HKLM\..\RunOnce: [sysie32.exe] C:\WINDOWS\system32\sysie32.exe
O4 - HKLM\..\RunOnce: [mfcba32.exe] C:\WINDOWS\mfcba32.exe
O4 - HKLM\..\RunOnce: [appzt.exe] C:\WINDOWS\appzt.exe
O4 - HKLM\..\RunOnce: [ipkq32.exe] C:\WINDOWS\system32\ipkq32.exe
O4 - HKLM\..\RunOnce: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\system32\crdo32.exe
O4 - HKLM\..\RunOnce: [ntsi32.exe] C:\WINDOWS\system32\ntsi32.exe
O4 - HKLM\..\RunOnce: [d3zz32.exe] C:\WINDOWS\system32\d3zz32.exe
O4 - HKLM\..\RunOnce: [ipdi.exe] C:\WINDOWS\system32\ipdi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntir32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I would like to thank all for any help that may come. and thanks for having this board for me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Presents · « **Reply #1 on:** June 01, 2005, 06:32:03 AM »

monring bump before work.

guestolo · « **Reply #2 on:** June 01, 2005, 10:52:45 PM »

Can you please do the following, and thanks for your patience

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Some of the file names may of changed, but let's see what we can cleanup
There's a newer infection of this sort going around making it a bit tougher to fix, but RubberDucky, the creator of About:Buster has updated his tool
Let's see if it can clean this one

Can you please create a folder on your desktop
Right click an empty spot on the desktop
Select NEW>>Folder
Name it Aboutbuster
Download AboutBuster5.zip
and UNZIP the contents too that new folder
Open the folder and double click on
About:buster.exe (A:B icon)
Click the UPDATE button
After it's been updated close it out for now
We'll need it later

==From my signature below, download and save to Desktop CWShredder.exe
We'll need this later

==Download and UNZIP to desktop or a folder Cwsserviceremove.zip so you now have cwserviceremove.reg extracted
We'll need this later

==Download and Install this small program
to help clean your temp folders,cookies, prefetch, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
We'll need this later

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Network Security Service (NSS)

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Using Windows Explore, manually navigate and delete these files if found
C:\WINDOWS\ntgi32.exe <--file
C:\WINDOWS\applw.exe
C:\WINDOWS\ntpd32.exe
C:\WINDOWS\ntlv32.exe
C:\WINDOWS\appqp.exe
C:\WINDOWS\javaol32.exe
C:\WINDOWS\crvn32.exe
C:\WINDOWS\wingk.exe
C:\WINDOWS\apilb.exe
C:\WINDOWS\netqg.exe
C:\WINDOWS\addea32.exe
C:\WINDOWS\netwo32.exe
C:\WINDOWS\apiss32.exe
C:\WINDOWS\winjx.exe
C:\WINDOWS\crlu32.exe
C:\WINDOWS\mfcba32.exe
C:\WINDOWS\appzt.exe
C:\WINDOWS\ntir32.exe
C:\WINDOWS\system32\ipkq32.exe
C:\WINDOWS\system32\winnl32.exe
C:\WINDOWS\system32\crdo32.exe
C:\WINDOWS\system32\ntsi32.exe
C:\WINDOWS\system32\d3zz32.exe
C:\WINDOWS\system32\ipdi.exe
C:\WINDOWS\system32\javaua.exe
C:\WINDOWS\system32\ipwf.exe
C:\WINDOWS\system32\mfcri32.exe
C:\WINDOWS\system32\systc32.exe
C:\WINDOWS\system32\addre32.exe
C:\WINDOWS\system32\iekj32.exe
C:\WINDOWS\system32\sdkfh.exe
C:\WINDOWS\system32\apiun.exe
C:\WINDOWS\system32\javaxz32.exe
C:\WINDOWS\system32\apijy.exe
C:\WINDOWS\system32\winoa32.exe
C:\WINDOWS\system32\apigz.exe
C:\WINDOWS\system32\d3qr.exe
C:\WINDOWS\system32\apity.exe
C:\WINDOWS\system32\sysie32.exe
C:\WINDOWS\system32\sdkiz32.dll

Stay in safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Instead
Open the Aboutbuster folder and Run About:buster.exe
Click the Begin Removal button
Can you please run this scan twice
When it's done it will produce a log in the Aboutbuster folder called
Ab logfile.txt
I'll need to see the log later

==Double click on cwserviceremove.reg and allow to add or merge to the registry

Again, in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hktbp.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FCDF9B34-55AD-0116-483A-6ED53C743179} - C:\WINDOWS\system32\sdkiz32.dll

O4 - HKLM\..\Run: [ntgi32.exe] C:\WINDOWS\ntgi32.exe

O4 - HKLM\..\Run: [javaua.exe] C:\WINDOWS\system32\javaua.exe
O4 - HKLM\..\RunOnce: [ipwf.exe] C:\WINDOWS\system32\ipwf.exe
O4 - HKLM\..\RunOnce: [mfcri32.exe] C:\WINDOWS\system32\mfcri32.exe
O4 - HKLM\..\RunOnce: [systc32.exe] C:\WINDOWS\system32\systc32.exe
O4 - HKLM\..\RunOnce: [addre32.exe] C:\WINDOWS\system32\addre32.exe
O4 - HKLM\..\RunOnce: [applw.exe] C:\WINDOWS\applw.exe
O4 - HKLM\..\RunOnce: [iekj32.exe] C:\WINDOWS\system32\iekj32.exe
O4 - HKLM\..\RunOnce: [sdkfh.exe] C:\WINDOWS\system32\sdkfh.exe
O4 - HKLM\..\RunOnce: [ntpd32.exe] C:\WINDOWS\ntpd32.exe
O4 - HKLM\..\RunOnce: [ntlv32.exe] C:\WINDOWS\ntlv32.exe
O4 - HKLM\..\RunOnce: [appqp.exe] C:\WINDOWS\appqp.exe
O4 - HKLM\..\RunOnce: [javaol32.exe] C:\WINDOWS\javaol32.exe
O4 - HKLM\..\RunOnce: [apiun.exe] C:\WINDOWS\system32\apiun.exe
O4 - HKLM\..\RunOnce: [crvn32.exe] C:\WINDOWS\crvn32.exe
O4 - HKLM\..\RunOnce: [wingk.exe] C:\WINDOWS\wingk.exe
O4 - HKLM\..\RunOnce: [javaxz32.exe] C:\WINDOWS\system32\javaxz32.exe
O4 - HKLM\..\RunOnce: [apilb.exe] C:\WINDOWS\apilb.exe
O4 - HKLM\..\RunOnce: [apijy.exe] C:\WINDOWS\system32\apijy.exe
O4 - HKLM\..\RunOnce: [winoa32.exe] C:\WINDOWS\system32\winoa32.exe
O4 - HKLM\..\RunOnce: [netqg.exe] C:\WINDOWS\netqg.exe
O4 - HKLM\..\RunOnce: [addea32.exe] C:\WINDOWS\addea32.exe
O4 - HKLM\..\RunOnce: [netwo32.exe] C:\WINDOWS\netwo32.exe
O4 - HKLM\..\RunOnce: [apiss32.exe] C:\WINDOWS\apiss32.exe
O4 - HKLM\..\RunOnce: [apigz.exe] C:\WINDOWS\system32\apigz.exe
O4 - HKLM\..\RunOnce: [winjx.exe] C:\WINDOWS\winjx.exe
O4 - HKLM\..\RunOnce: [d3qr.exe] C:\WINDOWS\system32\d3qr.exe
O4 - HKLM\..\RunOnce: [apity.exe] C:\WINDOWS\system32\apity.exe
O4 - HKLM\..\RunOnce: [crlu32.exe] C:\WINDOWS\crlu32.exe
O4 - HKLM\..\RunOnce: [sysie32.exe] C:\WINDOWS\system32\sysie32.exe
O4 - HKLM\..\RunOnce: [mfcba32.exe] C:\WINDOWS\mfcba32.exe
O4 - HKLM\..\RunOnce: [appzt.exe] C:\WINDOWS\appzt.exe
O4 - HKLM\..\RunOnce: [ipkq32.exe] C:\WINDOWS\system32\ipkq32.exe
O4 - HKLM\..\RunOnce: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe
O4 - HKLM\..\RunOnce: [crdo32.exe] C:\WINDOWS\system32\crdo32.exe
O4 - HKLM\..\RunOnce: [ntsi32.exe] C:\WINDOWS\system32\ntsi32.exe
O4 - HKLM\..\RunOnce: [d3zz32.exe] C:\WINDOWS\system32\d3zz32.exe
O4 - HKLM\..\RunOnce: [ipdi.exe] C:\WINDOWS\system32\ipdi.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntir32.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Cwshredder.exe and click on the FIX button
Let it run it's scan, when it's done

Restart back to Normal mode

Back in Windows
If prompted from Microsoft Anti-Spyware about any changes, allow them so it won't interfere in any fixes we are trying to do

==Look for a file called shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

==Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Script ActiveX controls marked safe for scripting (Prompt)

Download and Install the free version of Ad-Aware SE Personal 1.06
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows

Could you run another scan with Hijackthis and post a fresh log
Along with the contents of the Ab logfile.txt in the Aboutbuster folder

Could you also do the following
==Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
Click the "Open in Notepad"
Copy and paste back the whole contents of this notepad file too

Could you also let me know if you have Spybot 1.3 installed

Presents · « **Reply #3 on:** June 02, 2005, 06:35:04 PM »

Once again, thanks for the help so far.

Spybot 1.3 is not installed.

also, i have the beta microsoft antispyware installed, so i do not have ad-ware se installed. i did run a scan with ms antispyware.

the fresh log of hjt:
Logfile of HijackThis v1.99.1
Scan saved at 7:19:21 PM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\iece32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\atlwq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vgked.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rgbsa.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {FFCC6735-EB5B-B4BF-E2D6-AA1A6BBF8C5E} - C:\WINDOWS\system32\ntet32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntgi32.exe] C:\WINDOWS\ntgi32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [atlwq.exe] C:\WINDOWS\atlwq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\iece32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

the log from a:b (note: i ran it a few times)
AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:22:24 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\WindowsUpdate.log:muvnb
Removed Stream! C:\WINDOWS\_default.pif:aayvm
Removed Stream! C:\WINDOWS\_default.pif:abudro
Removed Stream! C:\WINDOWS\_default.pif:abyna
Removed Stream! C:\WINDOWS\_default.pif:acqwu
Removed Stream! C:\WINDOWS\_default.pif:adgde
Removed Stream! C:\WINDOWS\_default.pif:adqfb
Removed Stream! C:\WINDOWS\_default.pif:aezoj
Removed Stream! C:\WINDOWS\_default.pif:afthz
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:23:02 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:23:32 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:agnyx
Removed Stream! C:\WINDOWS\_default.pif:ahmse
Removed Stream! C:\WINDOWS\_default.pif:ahvvh
Removed Stream! C:\WINDOWS\_default.pif:ahxww
Removed Stream! C:\WINDOWS\_default.pif:aifoi
Removed Stream! C:\WINDOWS\_default.pif:aionw
Removed Stream! C:\WINDOWS\_default.pif:aixumi
Removed Stream! C:\WINDOWS\_default.pif:ajbub
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:24:02 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:24:10 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:akcoxb
Removed Stream! C:\WINDOWS\_default.pif:alhkr
Removed Stream! C:\WINDOWS\_default.pif:aliwv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:24:40 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:24:46 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:amnsy
Removed Stream! C:\WINDOWS\_default.pif:anaue
Removed Stream! C:\WINDOWS\_default.pif:anhkx
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:25:15 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:25:21 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:anypk
Removed Stream! C:\WINDOWS\_default.pif:aotcz
Removed Stream! C:\WINDOWS\_default.pif:arhns
Removed Stream! C:\WINDOWS\_default.pif:atmmd
Removed Stream! C:\WINDOWS\_default.pif:atopj
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:25:51 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:26:14 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:atzoi
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:26:43 PM

AboutBuster 5.0 reference file 28
Scan started on [6/2/2005] at [1:26:52 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:axfpn
Removed Stream! C:\WINDOWS\_default.pif:axqqmv
Removed Stream! C:\WINDOWS\_default.pif:azcvfn
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:27:22 PM

guestolo · « **Reply #4 on:** June 02, 2005, 08:18:36 PM »

Can you please download and run the scan with Ad-Aware also
I know you have Microsoft anti-spyware installed, so do I
But I also use Ad-Aware and Spybot>>the newest version

Ad-Aware may not clean you of this infection, but it may find nasties that MAS miss

After you have ran the Ad-Aware scan from the instructions I gave you
And after restarting the computer
please post a fresh hijackthis log

Presents · « **Reply #5 on:** June 03, 2005, 08:01:00 AM »

after i posted, i started thinking and downloaded/ran it. 16 cases ms didn't catch.

the latest hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:06 AM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\atlwq.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ntla32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {FFCC6735-EB5B-B4BF-E2D6-AA1A6BBF8C5E} - C:\WINDOWS\system32\ntet32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntgi32.exe] C:\WINDOWS\ntgi32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [atlwq.exe] C:\WINDOWS\atlwq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [iece32.exe] C:\WINDOWS\iece32.exe
O4 - HKLM\..\RunOnce: [ntla32.exe] C:\WINDOWS\system32\ntla32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #6 on:** June 05, 2005, 08:03:46 AM »

Sorry for the delay
Can i have you disabel Microsoft's anit-spyware protection, we don't need it interfering with any fixes we are try

Code: [Select]

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

I suspect a few entries have changed, but let's do the following
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Find and delete these files
C:\WINDOWS\ntgi32.exe
C:\WINDOWS\atlwq.exe
C:\WINDOWS\iece32.exe
C:\WINDOWS\system32\ntet32.dll
C:\WINDOWS\system32\ntla32.exe

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\glnuk.dll/sp.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FFCC6735-EB5B-B4BF-E2D6-AA1A6BBF8C5E} - C:\WINDOWS\system32\ntet32.dll
O4 - HKLM\..\Run: [ntgi32.exe] C:\WINDOWS\ntgi32.exe

O4 - HKLM\..\Run: [atlwq.exe] C:\WINDOWS\atlwq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [iece32.exe] C:\WINDOWS\iece32.exe
O4 - HKLM\..\RunOnce: [ntla32.exe] C:\WINDOWS\system32\ntla32.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe <-not needed on startup, can be ran manually

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run About:buster again

Double click on Cwsserviceremove.reg and allow to add or Merge to the registry again

Restart your computer back to Normal mode

Run another scan with HIjackthis and post a fresh log
Also post the log from About:buster again

Could you also
Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

11Fßä#·ºÄÖ`I

Wait for the results and post them back here

You didn't post the HOSTS file from hijackthis I asked for last time
Was there a problems doing this?

TheTechGuide Forum

News:

Author Topic: Hijacked! (Read 1173 times)

Presents

Hijacked!

Presents

Hijacked!

guestolo

Hijacked!

Presents

Hijacked!

guestolo

Hijacked!

Presents

Hijacked!

guestolo

Hijacked!