My IE has been hijacked. I have run AdAware, spybot, Spyware blaster, CW Shredder, Aluria Spyware Eliminator, Norton.
Here's my log if anyone can help:

Logfile of HijackThis v1.97.7
Scan saved at 2:52:32 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\atlnc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\NET2PH~1\CommCtr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sonicbox\Sonicbox iM Tuner\iM_Tray.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\ALURIA~1\ASE\ASEserv.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\javaeb32.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paul Brockway\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.conklyns.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tolip.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tolip.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {935EBCE9-F516-EEA1-1F61-F8F6D4C9372C} - C:\WINDOWS\system32\apizc32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [javaeb32.exe] C:\WINDOWS\javaeb32.exe
O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SB StartCenter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.conklyns.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.conklyns.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://192.168.2.176/img/NetCamPlayerWeb.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA8DFF4F-BA2A-41E3-84C7-186999C8A32C}: NameServer = 67.100.187.201

  1. Make sure your settings allow you to view "Hidden files" & "hide protected operating system files" is unchecked. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "atlnc32.exe" & "javaeb32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tolip.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tolip.dll/sp.html#96676

    O2 - BHO: (no name) - {935EBCE9-F516-EEA1-1F61-F8F6D4C9372C} - C:\WINDOWS\system32\apizc32.dll

    O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
    O4 - HKLM\..\RunOnce: [javaeb32.exe] C:\WINDOWS\javaeb32.exe
    O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe

  7. Reboot into Safe Mode - How do I boot into "Safe" mode? , and delete the following files:

    C:\WINDOWS\tolip.dll

    C:\WINDOWS\system32\apizc32.dll

    C:\WINDOWS\atlnc32.exe
    C:\WINDOWS\javaeb32.exe
    C:\WINDOWS\system32\d3hi.exe


    Reboot in Normal Mode.
    Download the file attached to this post and rename it to cwsuninst.reg
    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.

    File Attachment

    Extra notes
    If given full internet access this variant will delete:
    - your hosts file (good replacements can be found here or here )
    - Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
    - control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/...es.html#control

I followed the instructions below until I got to the part about deleting files while in Safe mode. I didn't find any of those Windows files to delete. (?)
I rebooted in regular mode and of course my IE is still getting hijacked.
Suggestions? Thanks

  1. Make sure your settings allow you to view "Hidden files" & "hide protected operating system files" is unchecked. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "atlnc32.exe" & "javaeb32.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tolip.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tolip.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tolip.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tolip.dll/sp.html#96676

    O2 - BHO: (no name) - {935EBCE9-F516-EEA1-1F61-F8F6D4C9372C} - C:\WINDOWS\system32\apizc32.dll

    O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
    O4 - HKLM\..\RunOnce: [javaeb32.exe] C:\WINDOWS\javaeb32.exe
    O4 - HKLM\..\RunOnce: [d3hi.exe] C:\WINDOWS\system32\d3hi.exe

  7. Reboot into Safe Mode - How do I boot into "Safe" mode? , and delete the following files:

    C:\WINDOWS\tolip.dll

    C:\WINDOWS\system32\apizc32.dll

    C:\WINDOWS\atlnc32.exe
    C:\WINDOWS\javaeb32.exe
    C:\WINDOWS\system32\d3hi.exe


    Reboot in Normal Mode.
    Download the file attached to this post and rename it to cwsuninst.reg
    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.

    File Attachment

    Extra notes
    If given full internet access this variant will delete:
    - your hosts file (good replacements can be found here or here )
    - Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
    - control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/...es.html#control

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt here.

I downloaded Registar Lite and pasted the line below into the address bar.
The following defaulted into the address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Didn't find any Appinit_DLL values. (?)

Tried to download FindnFix but the program is no longer available.

Thanks

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt here.

Still available at the first link I provided. Just tried it :) . Me off to bed now so will have to take this up tomorrow.

I swear I got a broken link when I clicked yesterday! :)

Here is the FindNFix log:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Tue 07/13/2004
8:11am up 0 days, 0:47

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/12)»»»»»»»»»»»»»»»»

»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

No matches found.

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
apizc32.dll Sat Jun 26 2004 4:17:40a A.SH. 91,136 89.00 K
d3li.dll Thu May 20 2004 2:55:02a A.SH. 91,136 89.00 K
rwqhn.dll Sun May 30 2004 5:37:30a A.SH. 67,584 66.00 K
rzgmh.dll Mon Jun 28 2004 9:46:50a A.SH. 67,584 66.00 K
wbuyf.dll Tue Jun 29 2004 12:16:06p A.SH. 71,168 69.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 388,608 bytes 379.50 K

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\APIZC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\D3LI.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RWQHN.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RZGMH.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WBUYF.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group PAUL\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


»»»»»»Backups created...»»»»»»
8:14am up 0 days, 0:49
Tue 07/13/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-13-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 268 07-13-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Tue Jul 13 2004 7:50:38a .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' c USERProcessHandleQuotac 8
00001310:h
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value entry was NOT found!

Still available at the first link I provided. Just tried it :) . Me off to bed now so will have to take this up tomorrow.

Looks like freeatlast has prohibited it's use by unauthorized boards (this being one) so will not be able to progress with this. Sorry. Good news is that the file we are looking for does not exist :) .

*
»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*
*

Download About:buster from http://downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Reboot your computer in normal mode.

Ran About Buster. The hijacker is still there, pop ups and all.
Now I can't access Tools- Internet options at all.
I get the message:This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

Looks like freeatlast has prohibited it's use by unauthorized boards (this being one) so will not be able to progress with this. Sorry. Good news is that the file we are looking for does not exist :) .

*
»»»*»»»*Boards that are not personally authorised by me are not allowed to use this fix!»»»*»»»*
*

Download About:buster from http://downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Reboot your computer in normal mode.

Am not sure what has happened there, have not had it occur before. Can you do a system restore to a time before you got the hijack?

I tried several dates but keep getting the message:
Your computer cannot be restored to: (any date I enter)
I also get the message: C:windows/winpx.exe - Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

Am not sure what has happened there, have not had it occur before. Can you do a system restore to a time before you got the hijack?

This winpx.exe is also driving my virus filter nuts!

Am not sure what has happened there, have not had it occur before. Can you do a system restore to a time before you got the hijack?

Might be a silly question but, have you tried logging on as Administrator? Then resetting permissions for all users?

I am logged on as administrator but have no idea how to reset permissions for users of IE. I can get into Internet options with one user but not the other - both have admin. permissions. I am a novice and don't have any experience with administrator functions. It's a PC with me as the only user and I've never had the need to administer anything before :rolleyes:

Might be a silly question but, have you tried logging on as Administrator? Then resetting permissions for all users?

Perhaps you can try opening another user account & see if the functions work correctly for that one. If so, you should be able to transfer settings & stuff later.

Ok, I have deleted some stuff Norton found and I am back to where I was last week. I have control of my Tools again but the hijacker is still there.
When I run Ad-aware I find numerous entries that appear to be problems including two programs:

windows\system32\dnnhf.dll and wbuyf.dll

I delete everything found by adaware but they come back.

Ad-aware identifies all of these files and registry entries as CWS Hijack entries.
Should I re-run Hi-jack this and start again? Thanks

Perhaps you can try opening another user account & see if the functions work correctly for that one. If so, you should be able to transfer settings & stuff later.

Should I re-run Hi-jack this and start again? Thanks

Yes- good idea. The log you first posted is two weeks old now, and you've made a lot of changes in that time.

I have now followed the routine suggested by caperjack and here are the results of the scans:

-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\System32\jrpqi.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 12:30:22 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ALURIA~1\ASE\ASEserv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\windm32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\atlnc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\NET2PH~1\CommCtr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sonicbox\Sonicbox iM Tuner\iM_Tray.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\BHODemon\BHODemon.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Paul Brockway\Local Settings\Temp\Temporary Directory 3 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.conklyns.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A52FA47B-BA50-C6CB-6B02-1F30CC46D589} - C:\WINDOWS\system32\d3li.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\RunOnce: [windm32.exe] C:\WINDOWS\system32\windm32.exe
O4 - HKLM\..\RunOnce: [sysms.exe] C:\WINDOWS\system32\sysms.exe
O4 - HKLM\..\RunOnce: [crde32.exe] C:\WINDOWS\crde32.exe
O4 - HKLM\..\RunOnce: [ipel.exe] C:\WINDOWS\ipel.exe
O4 - HKLM\..\RunOnce: [appcf32.exe] C:\WINDOWS\system32\appcf32.exe
O4 - HKLM\..\RunOnce: [sysnm32.exe] C:\WINDOWS\system32\sysnm32.exe
O4 - HKLM\..\RunOnce: [apikh.exe] C:\WINDOWS\system32\apikh.exe
O4 - HKLM\..\RunOnce: [apibf.exe] C:\WINDOWS\apibf.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SB StartCenter.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.conklyns.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.conklyns.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://192.168.2.176/img/NetCamPlayerWeb.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA8DFF4F-BA2A-41E3-84C7-186999C8A32C}: NameServer = 67.100.187.201

Files that come up when I run AdAware look like ...dnnhf.dll, wbuyf.dll, winka.exe. Does this mean anything to you guys?

Any ideas? Thanks


Yes- good idea. The log you first posted is two weeks old now, and you've made a lot of changes in that time.

Ugh- they're morphing. :evil:


1. Disable Windows' System Restore function. An explanation of why you want to do this and how to do it is here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

- Now close all running/open programs, disconnect your computer from the Internet, and:

2. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
O2 - BHO: (no name) - {A52FA47B-BA50-C6CB-6B02-1F30CC46D589} - C:\WINDOWS\system32\d3li.dll
O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
O4 - HKLM\..\RunOnce: [windm32.exe] C:\WINDOWS\system32\windm32.exe
O4 - HKLM\..\RunOnce: [sysms.exe] C:\WINDOWS\system32\sysms.exe
O4 - HKLM\..\RunOnce: [crde32.exe] C:\WINDOWS\crde32.exe
O4 - HKLM\..\RunOnce: [ipel.exe] C:\WINDOWS\ipel.exe
O4 - HKLM\..\RunOnce: [appcf32.exe] C:\WINDOWS\system32\appcf32.exe
O4 - HKLM\..\RunOnce: [sysnm32.exe] C:\WINDOWS\system32\sysnm32.exe
O4 - HKLM\..\RunOnce: [apikh.exe] C:\WINDOWS\system32\apikh.exe
O4 - HKLM\..\RunOnce: [apibf.exe] C:\WINDOWS\apibf.exe
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://192.168.2.176/img/NetCamPlayerWeb.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

3. Delete the contents of all Cookie, Temp, and Temporary Internet Files folders, and then empty the Recycle Bin. Reboot into safe mode after that.

4. Once in safe mode, open Windows Explorer. Go to the Tools menu and select Folder Options. In the Advanced section under the View tab, check "show hidden files and folders"; uncheck "hide extentions for known filetypes" and "hide protected oprating system files". Click OK.

5. Find and delete all of the .dll and .exe files in the HJT entries I listed above.

6. Empty the Recycle Bin and reboot normally

Finally! Looks like we've got this machine cleaned up.

Followed the routine below but still had the problem. Went back, ran HJT again and found one more suspect file (ntjk32.exe) and deleted it as well as about 6 other files that had reappeared. As of now everything is working great! Thanks to everyone who helped me solve this problem.

Ugh- they're morphing. :evil:


1. Disable Windows' System Restore function. An explanation of why you want to do this and how to do it is here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

- Now close all running/open programs, disconnect your computer from the Internet, and:

2. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dnnhf.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dnnhf.dll/sp.html#96676
O2 - BHO: (no name) - {A52FA47B-BA50-C6CB-6B02-1F30CC46D589} - C:\WINDOWS\system32\d3li.dll
O4 - HKLM\..\Run: [atlnc32.exe] C:\WINDOWS\atlnc32.exe
O4 - HKLM\..\RunOnce: [windm32.exe] C:\WINDOWS\system32\windm32.exe
O4 - HKLM\..\RunOnce: [sysms.exe] C:\WINDOWS\system32\sysms.exe
O4 - HKLM\..\RunOnce: [crde32.exe] C:\WINDOWS\crde32.exe
O4 - HKLM\..\RunOnce: [ipel.exe] C:\WINDOWS\ipel.exe
O4 - HKLM\..\RunOnce: [appcf32.exe] C:\WINDOWS\system32\appcf32.exe
O4 - HKLM\..\RunOnce: [sysnm32.exe] C:\WINDOWS\system32\sysnm32.exe
O4 - HKLM\..\RunOnce: [apikh.exe] C:\WINDOWS\system32\apikh.exe
O4 - HKLM\..\RunOnce: [apibf.exe] C:\WINDOWS\apibf.exe
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://192.168.2.176/img/NetCamPlayerWeb.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

3. Delete the contents of all Cookie, Temp, and Temporary Internet Files folders, and then empty the Recycle Bin. Reboot into safe mode after that.

4. Once in safe mode, open Windows Explorer. Go to the Tools menu and select Folder Options. In the Advanced section under the View tab, check "show hidden files and folders"; uncheck "hide extentions for known filetypes" and "hide protected oprating system files". Click OK.

5. Find and delete all of the .dll and .exe files in the HJT entries I listed above.

6. Empty the Recycle Bin and reboot normally

Glad we could help, and I hope that was all of it.

Make sure to use Windows Update to keep current on MS critical fixes/security patches, and update and run your anti-virus/anti-swpyware programs regularly to keep yourself clean.

BTW- if you're sure your system is clean, you might want to re-enable System Restore again at this point. Feel free to post a new HJT log if you want us to give it a (hopefully) final review.

Final log - everything OK! Thanks for the help!

Cool. Again- glad we could help!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.