0

Hi,

I am trying to remove Shopping Wizard, Search Extender, Home Search Assistant from the computer. I can see those programs in Add/remove Program list, but cannot remove. I tried to run Adaware and Spy-bot. Still no luck.

Here is the log file from HijackThis. Any help on this topic will be greatly appreciated.

Thanks
Adi

Log File:

Logfile of HijackThis v1.99.1
Scan saved at 7:39:04 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Ikfcrwr\Eowle.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5E.tmp.exe
C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5D.tmp.exe
C:\WINDOWS\sysgk.exe
C:\Program Files\Free History Eraser\HistoryEraser.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\apisr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HTJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lputi.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lputi.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D04E1765-3EDC-D030-538C-2C1A74BEFF54} - C:\WINDOWS\system32\apiag.dll
O2 - BHO: Class - {D9AA0B45-D4FD-7AED-3EAA-679FA1487A31} - C:\WINDOWS\appmn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dqujni] C:\Program Files\Ikfcrwr\Eowle.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [apiqp32.exe] C:\WINDOWS\apiqp32.exe
O4 - HKLM\..\Run: [B5D.tmp] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5D.tmp.exe
O4 - HKLM\..\Run: [B5E.tmp] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5E.tmp.exe
O4 - HKLM\..\Run: [d3vv32.exe] C:\WINDOWS\d3vv32.exe
O4 - HKLM\..\Run: [B5E.tmp.exe] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5E.tmp.exe
O4 - HKLM\..\Run: [B5D.tmp.exe] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5D.tmp.exe
O4 - HKLM\..\Run: [sysgk.exe] C:\WINDOWS\sysgk.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msgina] C:\WINDOWS\system32\msgina\wuauclt2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: www.teen-fantazi.com
O15 - Trusted Zone: *.teen-fantazi.com
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apisr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

2
Contributors
9
Replies
10
Views
11 Years
Discussion Span
Last Post by DMR
0

Hi Adi, welcome to DaniWeb :)

Your log indicates quite a few "unwanted guests", and it also indicates that you have a couple of "bogus" anti-spyware programs installed.

A) SpyFighter and AdwareAlert are programs known to display false positives in an effort to coax/scare you in to paying money for their products; you should uninstall both programs using your Add/Remove Programs control panel. Before downloading/installing/purchasing any adware or spyware utilitiy, you should check this site to see if the program is reputable or not.


B) Please perform the following disinfection proceedures:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.


1. Download and run these specific about:blank/Home Search/etc. removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html


2. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.


3. Download and install the CCleaner utility, but don't run it yet.


4. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named "Network Security Service" or " 11Fßä#·ºÄÖ`I" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Close the Services utility after that.


5. Run HijackTHis again, put a check mark next to the following entries (if they exist), and then click the "Fix checked" button. Close HJT once it has finished performing its fixes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lputi.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lputi.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lputi.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D04E1765-3EDC-D030-538C-2C1A74BEFF54} - C:\WINDOWS\system32\apiag.dll
O2 - BHO: Class - {D9AA0B45-D4FD-7AED-3EAA-679FA1487A31} - C:\WINDOWS\appmn.dll
O4 - HKLM\..\Run: [Dqujni] C:\Program Files\Ikfcrwr\Eowle.exe
O4 - HKLM\..\Run: [apiqp32.exe] C:\WINDOWS\apiqp32.exe
O4 - HKLM\..\Run: [B5D.tmp] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5D.tmp.exe
O4 - HKLM\..\Run: [B5E.tmp] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5E.tmp.exe
O4 - HKLM\..\Run: [d3vv32.exe] C:\WINDOWS\d3vv32.exe
O4 - HKLM\..\Run: [B5E.tmp.exe] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5E.tmp.exe
O4 - HKLM\..\Run: [B5D.tmp.exe] C:\DOCUME~1\ADITYA~1\LOCALS~1\Temp\B5D.tmp.exe
O4 - HKLM\..\Run: [sysgk.exe] C:\WINDOWS\sysgk.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [msgina] C:\WINDOWS\system32\msgina\wuauclt2.exe
O15 - Trusted Zone: www.teen-fantazi.com
O15 - Trusted Zone: *.teen-fantazi.com
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apisr.exe

6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


7. Run CleanUP! It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


8. Run AVG, SpyBot, ewido, AdAware, and MS Antispyware beta consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.


9. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files (some of these should already have been deleted by the removal utilities):

C:\WINDOWS\lputi.dll
C:\WINDOWS\system32\apiag.dll
C:\WINDOWS\appmn.dll
C:\WINDOWS\apiqp32.exe
C:\WINDOWS\d3vv32.exe
C:\WINDOWS\sysgk.exe
C:\WINDOWS\system32\msgina\wuauclt2.exe
C:\WINDOWS\system32\apisr.exe

- Delete the following folders entirely:

C:\Program Files\Ikfcrwr
C:\Program Files\SpyFighter
C:\Program Files\AdwareAlert


10. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.

0

Dear DaniWeb IT Community,

Thanks a lot for your help. I have taken all the steps you mentioned in the email to remove the spyware. here is the Ewido scan log file and HijackThis log file,

I do appreciate your help. Do you think my PC is clean?

 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          2:44:46 AM, 12/13/2005
 + Report-Checksum:     B3C825EF

 + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{1082088A-E784-5093-F9A0-07E5588FA67C} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{1BD83F34-5674-FA0D-E5B2-7D7655F0D46F} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{4AEDA6FC-6816-F03C-12F8-CDE056451F16} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{8424A742-21C5-E92B-D6A5-2B565D796258} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{C54510FE-72AA-27FF-1198-0CC47906F451} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@cbs.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\guest@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\WINDOWS\addil32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\addvs32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\apiho.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\apiiq.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\apind32.dll -> Downloader.WinShow.bg : Cleaned with backup
    C:\WINDOWS\appbg.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\appjq.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\crdq.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\crso32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\crxz.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\d3ae32.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\d3km32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\d3md.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\d3om32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\d3zb.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\iegr.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\iehn.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\iemq32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\ipku.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\javaae.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\javaam32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\javadl32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\javans32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\mslw32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\msra32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\msty32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
    C:\WINDOWS\netcw.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\netcz.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\netmv.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\ntjh.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\ntmo32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\sdkdo.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\sysbd.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\sysfi32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\sysjz32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\syslu.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\addhx32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\addmo32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\addon.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\addpe32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\apiik32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\apiky.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\apisr.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\appjf32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\appvg32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\appzv32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\atldu.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\atlhx.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\atlie.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\atltr.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\crjt.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\crov32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ieba32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\iebo32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\iejz32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ieyf32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ipmn32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ipqg32.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ipqu.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ipzd.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\javaii32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\javalz32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\javard32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\mfcri32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\msti32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\mswf32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\netib32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\nettg32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ntgc32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ntgi.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ntjo32.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sdkov32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sdkqf.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sdkzj.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sysbj.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\syskp.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\syssx32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\sysuf32.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\syswr32.exe -> Trojan.Agent.bi : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winbp32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winso32.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\winhn.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\WINNT256.BMP:khyuh -> Downloader.WinShow.bg : Cleaned with backup
    C:\WINDOWS\winsv.exe -> Downloader.Agent.td : Cleaned with backup
    C:\WINDOWS\wintf32.exe -> Downloader.Agent.td : Cleaned with backup


::Report End
--------------------------------------------------------

Logfile of HijackThis v1.99.1
----------------------------------------------------------
Scan saved at 5:58:29 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HTJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wejca.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = abount:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wejca.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wejca.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = abount:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wejca.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wejca.dll/sp.html#10001
O2 - BHO: Class - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netna.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3lh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Again, Thanks a lot for helping me out!

Edited by mike_2000_17: Fixed formatting

0

Many infections have been cleaned, but the main Home Search/about:Blank infection still appears to be present.

Please run the 4 about:blank-specific utilities (from #1 in my last post) again and post a new HJT log.

0

Hi,
I ran all four about:blank-specific utilities as suggested. Here is the log file after that,

Logfile of HijackThis v1.99.1
Scan saved at 8:16:45 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: Class - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netna.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3lh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Appreciate your time and efforts!
Thanks

0

Better still; only three leftovers to go...

1. Run HJT again and have it fix:

O2 - BHO: Class - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netna.dll (file missing)
O2 - BHO: Class - {9FBCDEFF-A6FC-C42E-2DA5-84537095BAA5} - C:\WINDOWS\system32\appon32.dll (file missing)
O2 - BHO: Class - {EC0BF822-7720-175B-2901-9FA68F761D30} - C:\WINDOWS\d3lh.dll (file missing)


2. Reboot into Safe Mode again.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Verify that the following files have truly been removed; if not, delete them now:

C:\WINDOWS\system32\netna.dll
C:\WINDOWS\system32\appon32.dll
C:\WINDOWS\d3lh.dll

- Empty your Recycle Bin.

- Perform one more scan/fix with ewido and save the new scan report log.


3. Reboot normally, run HijackThis again, and post the new (and hopefully final) log. Also post the log that ewido generated.

0

Hi,
I did all the things you suggested in the last email.
Here is the ewido file,

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          8:43:12 PM, 12/15/2005
 + Report-Checksum:     B09B6609

 + Scan result:

    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@ads.pointroll[1].txt[/email] -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@burstnet[1].txt[/email] -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@citi.bridgetrack[2].txt[/email] -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@cnn.122.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@com[2].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@questionmarket[1].txt[/email] -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@revenue[2].txt[/email] -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@tribalfusion[1].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@www.burstbeacon[2].txt[/email] -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Aditya Sakhalkar\Cookies\aditya [email]sakhalkar@z1.adserver[1].txt[/email] -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End

Hijack Fix log file,

Logfile of HijackThis v1.99.1
Scan saved at 8:46:50 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://hsremove.com/done.htm[/url]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Thanks for your help!

Edited by Nick Evan: Fixed formatting

0

Good work; it took a little doing, but your log is clean now :)

Does everything seem to be functioning properly now?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.