'about:blank and Quick Web Search' Hijack

Status
Not open for further replies.
E

EricBoroush

Solid State Member
Messages
7
I am working with a friend that appears to have encountered the "about:blank Quick Web Search" hijack that has been described in this and other forums. I found a similar description and set of clean-up instructions in a previous post on this forum initially logged by userID "bluebledthesea" in May of this year. (I believe the message thread ID number is 48599). The HiJackThis log that I obtained this morning from the system in question looks relatively similar to the HiJackThis log from the previous description. I basically understand the clean-up procedure specified in the previous message thread but I can see some differences between my current log and the previous incident log. There was also what appeared to be a little discrepancy in defining what elements to fix in the original message thread when comparing the original response from userID "Lobos" and a following response from userID "Warez Monster". Both previous responses specified a number of same elements to fix but there were a few variances. In any case, since my current HiJackThis log is a little different than that described in the previous incident, could someone take a look at it and pass along some info to get rid of the hijack situation on my friends system.

Current HiJackThis log -------

Logfile of HijackThis v1.99.1
Scan saved at 10:39:08 AM, on 7/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\mfcfs32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\iesr32.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Norton CleanSweep\csinsmNT.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Windows Virus Spyware Software\CastleCops\HJT V1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\diuuz.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\diuuz.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7366BED8-1A0E-3DBC-1C42-9C3C2FF47E58} - C:\WINNT\d3qo.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [iesr32.exe] C:\WINNT\iesr32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmNT.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfcfs32.exe" /s (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 
Then remove these:

C:\WINNT\iesr32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\diuuz.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\diuuz.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\diuuz.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\diuuz.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\diuuz.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\diuuz.dll/sp.html#14044

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\diuuz.dll/sp.html#14044

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {7366BED8-1A0E-3DBC-1C42-9C3C2FF47E58} - C:\WINNT\d3qo.dll

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [iesr32.exe] C:\WINNT\iesr32.exe

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfcfs32.exe" /s (file missing)
 
you can leave these just because the file says it is missing doesn't really mean it is

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)


and post another hjt log i doubt that will be all that bneeds to be done
 
OK, my thanks to both of you for the initial responses. I will try to get back over to my friend's place over the weekend to execute the instructions. They appear similar to what I had read in the previous incident. If I can't make it over there this weekend then it will be early next week. I will report back at that point and post a new HJT log. Thanks again, I'll be checking in later......
 
To "Warez Monster"

A qualification to your instructions from response 2 ---

Under the general statement "Then remove these:", the first item is described by HJT as a runing process. I assume that you mean to manually delete the "iesr32.exe" file associated with this item??? All of the other items will be "checked" and "fixed" by HJT???

Are my assumptions correct? Are there any other files that should be deleted based upon the original HJT log?
 
The identified recovery steps were performed last evening and the "Quick Web Search" hijack now appears to be eliminated. After completing these steps, I performed a CWSShredder scan and it identified one module as being found - "CWS.homesearch" while a full system scan by Ad-Aware SE identified quite a number of CWS elements. I didn't do anything last evening to remove the identified CWS modules but I suppose these should also be eliminated. Do you agree???

I have included the log file from "About Buster" and a new HJT log after the suggested clean-up steps were completed last evening.

About Buster log ---

AboutBuster 5.0 reference file 30
Scan started on [7/10/2005] at [8:23:41 PM]
------------------------------------------------
Removed Stream! C:\WINNT\Blue Lace 16.bmp:kvlykl
Removed Stream! C:\WINNT\cruy32.exx:eek:tnflm
Removed Stream! C:\WINNT\DATA.TCD:ifzugs
Removed Stream! C:\WINNT\explorer.scf:bfszav
Removed Stream! C:\WINNT\hrjqn.txt:uwuoge
Removed Stream! C:\WINNT\ICOA.INI:eek:astfz
Removed Stream! C:\WINNT\iis5.log:mxfbah
Removed Stream! C:\WINNT\imsins.log:hblzzj
Removed Stream! C:\WINNT\KB828741.log:kfkbkm
Removed Stream! C:\WINNT\KB828741.log:rmnned
Removed Stream! C:\WINNT\KB839645.log:pppdox
Removed Stream! C:\WINNT\KB841873.log:haeyiw
Removed Stream! C:\WINNT\LUINSTALL.LOG:vvlgvo
Removed Stream! C:\WINNT\ModemDet.txt:eek:wvlpr
Removed Stream! C:\WINNT\QDQICK.ini:tpmbjt
Removed Stream! C:\WINNT\Santa Fe Stucco.bmp:wcpuiv
Removed Stream! C:\WINNT\setupact.log:etykge
Removed Stream! C:\WINNT\setupapi.log:lyovrw
Removed Stream! C:\WINNT\setuplog.txt:gclwxn
Removed Stream! C:\WINNT\setuplog.txt:xurpap
Removed Stream! C:\WINNT\Sti_Trace.log:zdecrx
Removed Stream! C:\WINNT\updspapi.log:ckpvfo
Removed Stream! C:\WINNT\virik.txt:udijzy
Removed Stream! C:\WINNT\winnt.bmp:xgjgfs
Removed Stream! C:\WINNT\_default.pif:tpqbrn
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:23:42 PM


Current HJT log after completing initial clean-up steps ---

Logfile of HijackThis v1.99.1
Scan saved at 8:39:20 PM, on 7/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\mfcfs32.exe
C:\WINNT\ntag32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Norton CleanSweep\csinsmNT.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Windows Virus Spyware Software\CastleCops\HJT V1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\illdo.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FEFD04EF-013D-124C-D596-1C6488169F28} - C:\WINNT\atlsa32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [iegg32.exe] C:\WINNT\iegg32.exe
O4 - HKLM\..\Run: [ntag32.exe] C:\WINNT\ntag32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton CleanSweep\csinsmNT.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfcfs32.exe" /s (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
 
Hi:

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the logÂ…..

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Download and install Cleanup
http://cleanup.stevengould.org

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido


Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove SpyFighter.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINNT\system32\mfcfs32.exe
C:\WINNT\ntag32.exe

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\illdo.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\illdo.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\illdo.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FEFD04EF-013D-124C-D596-1C6488169F28} - C:\WINNT\atlsa32.dll
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [iegg32.exe] C:\WINNT\iegg32.exe
O4 - HKLM\..\Run: [ntag32.exe] C:\WINNT\ntag32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\mfcfs32.exe" /s (file missing

Run AboutBuster again.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletionÂ…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINNT\illdo.dll
C:\WINNT\system32\mfcfs32.exe
C:\WINNT\ntag32.exe
C:\Program Files\SpyFighter\SpyFighter.exe
C:\WINNT\atlsa32.dll

Once you reboot...boot directly back to safe mode.

C:\Program Files\SpyFighter <--delete that folder

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows.... Run an online scan from http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Choose the "Autofix/Clean" option and save it's log. Then post all those logs.

So I need...

Panda Scan log
Ewido log
Hijackthis log
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom