[multimodes]

Good day guys: as you can see from the title I am having a bit of a problem. I read though a couple of threads but I did not know what to delete. I did try deleting from R0 & R1 anything that had hjbqd.dll attached to it, but that did not see to clear my problem. I also looked for similar programs / folders that other people had been deleing but did not find any that mathced. Could you please help me in fixing this problem.


I have aready downloaded "Hijack This"
" as you can see from below / I also have Ad-ware & sypot. My virus program is Norton and I always keep it up to date.

My opearatng system is Wondows XP.
Thank you for your time & patience.




res://hjbqd.dll/index.html#10213

Logfile of HijackThis v1.98.0
Scan saved at 6:32:45 AM, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\MG-SOFT\MIB Browser\Bin\MgWTrap3.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\atloa32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\addcl32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Spybot\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjbqd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hjbqd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjbqd.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {418BB343-32C8-F3D1-47C1-6736B59653BA} - C:\WINDOWS\system32\mszd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [addcl32.exe] C:\WINDOWS\system32\addcl32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30A11B90-89B1-4444-904E-81B7A2EFC44A} (RNTProcessManager Control) -

[Lewie1]

I'm also new at Hijack This. My boss had a problem with a hijacked browser page. I used Adaware and Spybot and still no luck. So I checked into CWshredder.exe and it worked!!!! It cleans up pieces that the other programs leave behind.

Try this: http://www.download.com/3120-20-0.ht...der&tg=dl-2001

Nothing like a happy boss.

[multimodes]

Thanks for the reply. I had already tried CWShredder but I had no luck.
Take a look I tried it again. I need help, the log file of Hijack This should have the answer. I just do not know which file(s) to delete.


Done!
Your system was completely clean.

Windows XP (5.01.2600 SP1)
CWShredder v1.59.1
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html

For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html

[svincent]

Ok use HijackThis to delete these Processes
C:\WINDOWS\atloa32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\addcl32.exe
C:\WINDOWS\System32\pctspk.exe

Then use HijackThis to fix these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjbqd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hjbqd.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjbqd.dll/index.html#10213
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hjbqd.dll/sp.html#10213
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [addcl32.exe] C:\WINDOWS\system32\addcl32.exe

Also check out this link, snds like a good solution
http://forum.aumha.org/viewtopic.php?t=6466

cheers - Shane

[multimodes]

Thank you for the response I really appreciated it. By the way you do realize that Hijack This cannot delete EXE files, they need to be deleted separately. Probably in the way that the other web address suggest in safe mode. Before I proceed I would like to double check you’re findings with a Senior member.

Could someone from the Senior side of the house please confirm.
Thanks again.