[list=1][*]Make sure your settings allow you to view "Hidden files" & "hide protected operating system files" is unchecked. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".[*]Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "atlnc32.exe" & "javaeb32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.[*]Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.[*]Scroll down and find the service called "Network Security Service". [*]When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.[*]Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tolip.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tolip.dll/sp.html#96676

O2 - BHO: (no name) - {935EBCE9-F516-EEA1-1F61-F8F6D4C9372C} - C:\WINDOWS\system32\apizc32.dll

O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
O4 - HKLM\..\RunOnce: [javaeb32.exe] C:\WINDOWS\javaeb32.exe
O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe

[*]Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:

C:\WINDOWS\tolip.dll

C:\WINDOWS\system32\apizc32.dll

C:\WINDOWS\atlnc32.exe
C:\WINDOWS\javaeb32.exe
C:\WINDOWS\system32\d3hi.exe


Reboot in Normal Mode.
Download the file attached to this post and rename it to cwsuninst.reg
Doubleclick it and confirm you want to merge it with the registry.
Run HijackThis again and post a new log.

File Attachment

Extra notes
If given full internet access this variant will delete:
- your hosts file (good replacements can be found here or here)
- Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
- control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/...es.html#control

I followed the instructions below until I got to the part about deleting files while in Safe mode. I didn't find any of those Windows files to delete. (?)
I rebooted in regular mode and of course my IE is still getting hijacked.
Suggestions? Thanks

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt here.

I downloaded Registar Lite and pasted the line below into the address bar.
The following defaulted into the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Didn't find any Appinit_DLL values. (?)

Tried to download FindnFix but the program is no longer available.

Thanks

Still available at the first link I provided. Just tried it . Me off to bed now so will have to take this up tomorrow.

I swear I got a broken link when I clicked yesterday!

Here is the FindNFix log:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Tue 07/13/2004
8:11am up 0 days, 0:47

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/12)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
apizc32.dll Sat Jun 26 2004 4:17:40a A.SH. 91,136 89.00 K
d3li.dll Thu May 20 2004 2:55:02a A.SH. 91,136 89.00 K
rwqhn.dll Sun May 30 2004 5:37:30a A.SH. 67,584 66.00 K
rzgmh.dll Mon Jun 28 2004 9:46:50a A.SH. 67,584 66.00 K
wbuyf.dll Tue Jun 29 2004 12:16:06p A.SH. 71,168 69.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 388,608 bytes 379.50 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\APIZC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\D3LI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RWQHN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RZGMH.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WBUYF.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group PAUL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
8:14am up 0 days, 0:49
Tue 07/13/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-13-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-13-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Tue Jul 13 2004 7:50:38a .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250pooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' c USERProcessHandleQuotac 8
00001310:h
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!


Looks like freeatlast has prohibited it's use by unauthorized boards (this being one) so will not be able to progress with this. Sorry. Good news is that the file we are looking for does not exist .

*
»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*
*

Download About:buster from http://downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Reboot your computer in normal mode.

Ran About Buster. The hijacker is still there, pop ups and all.
Now I can't access Tools- Internet options at all.
I get the message:This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

Am not sure what has happened there, have not had it occur before. Can you do a system restore to a time before you got the hijack?