Hi, I have caught a nasty homepage hijacker called: http://kon4ay.biz/b/.

Does anybody have any ideas how to totally get rid of this thing? I have run NoAdware, AdAware Spybot and AVG antivirus. Nothing seems to detct it but Hijack this, anyway, heres my HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 10:37:39 PM, on 2/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Q92194.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kon4ay.biz/b/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/b/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {FD7200E7-D71A-4C80-8F30-B1DB72A246F9} - (no file)
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe" /s
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099463467078
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABC604C-089B-48A8-87A7-2D67001B4EE5}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABC604C-089B-48A8-87A7-2D67001B4EE5}: NameServer = 64.83.0.10,64.83.1.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1ABC604C-089B-48A8-87A7-2D67001B4EE5}: NameServer = 64.83.0.10,64.83.1.10
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: FireDaemon Service: ecure - Unknown - C:\WINDOWS\Temp\FireDaemon.EXE (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: svchost1 - Unknown - C:\WINDOWS\Temp\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: system - Unknown - C:\WINDOWS\Temp\FireDaemon.EXE (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

PLEASE HELP A GUY OUT, Thanks to all who share the knowledge!! :surprised

There is a newer verision of HJT here.

Delete the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://kon4ay.biz/b/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/b/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://kon4ay.biz/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://kon4ay.biz/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://kon4ay.biz/b/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

And are any of these your IP adress?

206.161.125.149
64.83.0.10,64.83.1.10

Also for this line right here
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "

You need to manully delete it so go to Add/Remove programs and see if its there if not tell me. It also works better in safe mode. After removing that delete it from your recyling bin.

Thanks, on the ip addresses, yes. Why do you ask?

So both of them you are fimilliar with? Beacuse they appear in the log and could possiblly br harmful.

Just the longer ip address, also, add/remove programs did not locate that search assistant file. And Hijack this deleted those files, but when I did a scan, they came right back.

Thats why you need to delete them go to search and search for it. Then remove the IP adress your not fimialar with.

You need to go to Windows Update and get the Critical Updates for your system; hold off on SP2, however, at least until your system is cleaned up.