Solved: I've been HIJACKED, pleeze help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Friends laptop, every 2 seconds it says your browser is trying to be changed....didn't even know where to start, here is a HiJack Log.

I can't even get anywhere on the laptop online, it just goes to search page....if I need to run stuff can you please explain how I download updates so that I can download the file and updates to CD and move over to laptop.

Kindest regards,
Christine

Logfile of HijackThis v1.99.1
Scan saved at 6:07:18 PM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\addtg32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TopSearch\TopSearch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\sdkwg32.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {035C09F9-1EEA-C8C8-EC20-CA226F453AF4} - C:\WINDOWS\atlhj.dll (file missing)
O2 - BHO: Class - {05DDF3D2-6A66-0B87-40D6-F21D101758C7} - C:\WINDOWS\system32\apija32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0CEEC41A-54F9-F1D2-230D-B4B044ECC202} - C:\WINDOWS\atlyi32.dll (file missing)
O2 - BHO: Class - {12322E36-9432-4B58-CFAE-AF461F87C2DB} - C:\WINDOWS\javapt.dll (file missing)
O2 - BHO: Class - {13F26072-BCFF-707D-7E70-5D90B543F1C6} - C:\WINDOWS\apiah32.dll (file missing)
O2 - BHO: Class - {2345C8ED-802B-A5E6-4EE8-68E9D4825903} - C:\WINDOWS\iedl.dll (file missing)
O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)
O2 - BHO: Class - {41233F22-2AA1-AADB-3DBC-1B1DBFFA830C} - C:\WINDOWS\system32\ipqh.dll
O2 - BHO: Class - {45392883-DD1C-FC42-B1BC-75A19920AD1D} - C:\WINDOWS\appcr.dll (file missing)
O2 - BHO: Class - {4D79FC93-36BD-152F-2313-9AC23B10DFA2} - C:\WINDOWS\system32\addjy32.dll (file missing)
O2 - BHO: Class - {4F8547B7-04B0-41F9-47AE-F8C66702847B} - C:\WINDOWS\system32\netbu.dll (file missing)
O2 - BHO: Class - {56F232CB-1514-101F-ABB5-2926D33A1BD3} - C:\WINDOWS\system32\netcj32.dll (file missing)
O2 - BHO: Class - {6BE5F351-F2D2-2264-8168-8EBE5F4A77D9} - C:\WINDOWS\iedg32.dll (file missing)
O2 - BHO: Class - {78991257-E463-8759-D99F-343F395ADFB0} - C:\WINDOWS\system32\mfcvf32.dll (file missing)
O2 - BHO: Class - {831710E3-7E06-570C-3083-83DF47D1F1A7} - C:\WINDOWS\syskl32.dll (file missing)
O2 - BHO: Class - {9437408B-D5FD-DD59-F300-D15AA010E64A} - C:\WINDOWS\addvb.dll (file missing)
O2 - BHO: Class - {94DC17FE-C8EB-ED86-AD62-742602CF4E5F} - C:\WINDOWS\system32\appmo32.dll (file missing)
O2 - BHO: Class - {964D3DD2-09FB-6B41-D4A8-3F2010E2B8A5} - C:\WINDOWS\iptw.dll
O2 - BHO: Class - {A0B7B1C7-F795-C9AF-3708-B2B4A5B8699B} - C:\WINDOWS\javatl32.dll (file missing)
O2 - BHO: Class - {A83F2621-E630-7943-FD17-24FC9321228A} - C:\WINDOWS\system32\ipqh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B513F19C-5C67-40E1-6FA7-165FFCD035F2} - C:\WINDOWS\ipdr.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - C:\WINDOWS\ieor32.dll (file missing)
O2 - BHO: Class - {CFBA6A8B-141A-EFF7-2284-53A16D783BE4} - C:\WINDOWS\system32\d3qb32.dll (file missing)
O2 - BHO: Class - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O2 - BHO: Class - {ECDB01F4-FF73-F26C-DD86-4D5A54623E8F} - C:\WINDOWS\system32\ippw32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntjy.dll (file missing)
O2 - BHO: Class - {FD36CB53-F43E-C115-ED98-E1F307C77FD6} - C:\WINDOWS\ipir.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [addtg32.exe] C:\WINDOWS\system32\addtg32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 3.6.15.lnk = C:\Program Files\LimeWire\3.6.15\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkwg32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
Joined
Sep 8, 2005
Messages
9,113
Welcome to TSG :)

Please Download and Install Ewido --

1. Download Ewido security suite from http://download.ewido.net/ewido-setup.exe
2. After the download is complete, double click on the file to launch the install process.
3. During installation under the Additional Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
4. Once installation is complete, launch Ewido by double-clicking the big "E" icon on your desktop. The program will prompt you to update -- click the 'OK' button.
5. The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
6. Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
7. Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
8. On the main screen, please select 'Complete System Scan' and the scan should begin.
9. While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to 'Perform action on all infections' in the the box. Doing this, enables the scan to proceed automatically until its completion. Click OK
10. When the scan is complete, click "Save Report". Your scan results will be saved in a textfile. Please submit that with your next post.

If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:

1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

:!: Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days that is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".
 
Joined
Jul 26, 2002
Messages
46,349
Ewido isn't going to fix this hijack. Please rescan with Hijack This and post a new log.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Flrman1 said:
Ewido isn't going to fix this hijack. Please rescan with Hijack This and post a new log.

After you post the next Hijack This log, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
Thanks...here's the log
Logfile of HijackThis v1.99.1
Scan saved at 6:39:13 PM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\addtg32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TopSearch\TopSearch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\sdkwg32.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {035C09F9-1EEA-C8C8-EC20-CA226F453AF4} - C:\WINDOWS\atlhj.dll (file missing)
O2 - BHO: Class - {05DDF3D2-6A66-0B87-40D6-F21D101758C7} - C:\WINDOWS\system32\apija32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0CEEC41A-54F9-F1D2-230D-B4B044ECC202} - C:\WINDOWS\atlyi32.dll (file missing)
O2 - BHO: Class - {12322E36-9432-4B58-CFAE-AF461F87C2DB} - C:\WINDOWS\javapt.dll (file missing)
O2 - BHO: Class - {13F26072-BCFF-707D-7E70-5D90B543F1C6} - C:\WINDOWS\apiah32.dll (file missing)
O2 - BHO: Class - {2345C8ED-802B-A5E6-4EE8-68E9D4825903} - C:\WINDOWS\iedl.dll (file missing)
O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)
O2 - BHO: Class - {41233F22-2AA1-AADB-3DBC-1B1DBFFA830C} - C:\WINDOWS\system32\ipqh.dll
O2 - BHO: Class - {45392883-DD1C-FC42-B1BC-75A19920AD1D} - C:\WINDOWS\appcr.dll (file missing)
O2 - BHO: Class - {4D79FC93-36BD-152F-2313-9AC23B10DFA2} - C:\WINDOWS\system32\addjy32.dll (file missing)
O2 - BHO: Class - {4F8547B7-04B0-41F9-47AE-F8C66702847B} - C:\WINDOWS\system32\netbu.dll (file missing)
O2 - BHO: Class - {56F232CB-1514-101F-ABB5-2926D33A1BD3} - C:\WINDOWS\system32\netcj32.dll (file missing)
O2 - BHO: Class - {6BE5F351-F2D2-2264-8168-8EBE5F4A77D9} - C:\WINDOWS\iedg32.dll (file missing)
O2 - BHO: Class - {78991257-E463-8759-D99F-343F395ADFB0} - C:\WINDOWS\system32\mfcvf32.dll (file missing)
O2 - BHO: Class - {831710E3-7E06-570C-3083-83DF47D1F1A7} - C:\WINDOWS\syskl32.dll (file missing)
O2 - BHO: Class - {9437408B-D5FD-DD59-F300-D15AA010E64A} - C:\WINDOWS\addvb.dll (file missing)
O2 - BHO: Class - {94DC17FE-C8EB-ED86-AD62-742602CF4E5F} - C:\WINDOWS\system32\appmo32.dll (file missing)
O2 - BHO: Class - {964D3DD2-09FB-6B41-D4A8-3F2010E2B8A5} - C:\WINDOWS\iptw.dll
O2 - BHO: Class - {A0B7B1C7-F795-C9AF-3708-B2B4A5B8699B} - C:\WINDOWS\javatl32.dll (file missing)
O2 - BHO: Class - {A83F2621-E630-7943-FD17-24FC9321228A} - C:\WINDOWS\system32\ipqh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B513F19C-5C67-40E1-6FA7-165FFCD035F2} - C:\WINDOWS\ipdr.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - C:\WINDOWS\ieor32.dll (file missing)
O2 - BHO: Class - {CFBA6A8B-141A-EFF7-2284-53A16D783BE4} - C:\WINDOWS\system32\d3qb32.dll (file missing)
O2 - BHO: Class - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O2 - BHO: Class - {ECDB01F4-FF73-F26C-DD86-4D5A54623E8F} - C:\WINDOWS\system32\ippw32.dll (file missing)
O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntjy.dll (file missing)
O2 - BHO: Class - {FD36CB53-F43E-C115-ED98-E1F307C77FD6} - C:\WINDOWS\ipir.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [addtg32.exe] C:\WINDOWS\system32\addtg32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: LimeWire 3.6.15.lnk = C:\Program Files\LimeWire\3.6.15\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkwg32.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
Joined
Jul 26, 2002
Messages
46,349
** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


* Click here to download cwsserviceremove.zip and unzip it to your desktop.



*Download Cleanup from Here
If that link is down, you can get Cleanup Here.
  • Save the Cleanup40 file to your desktop.
  • On your desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET



* Click Here and download the new version of Killbox and save it to your desktop.



* Click here to download CWShreder and save it to your desktop. Do Not run it yet.



* Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know how.



**After you have downloaded all the above tools, sign off the internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.



* Click Start > Run > and type in:

services.msc

Click OK.

In the services window find Network Security Service.
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


** Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.



* Run Hijack This and put a check by all of the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cbiko.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {035C09F9-1EEA-C8C8-EC20-CA226F453AF4} - C:\WINDOWS\atlhj.dll (file missing)

O2 - BHO: Class - {05DDF3D2-6A66-0B87-40D6-F21D101758C7} - C:\WINDOWS\system32\apija32.dll (file missing)

O2 - BHO: Class - {0CEEC41A-54F9-F1D2-230D-B4B044ECC202} - C:\WINDOWS\atlyi32.dll (file missing)

O2 - BHO: Class - {12322E36-9432-4B58-CFAE-AF461F87C2DB} - C:\WINDOWS\javapt.dll (file missing)

O2 - BHO: Class - {13F26072-BCFF-707D-7E70-5D90B543F1C6} - C:\WINDOWS\apiah32.dll (file missing)

O2 - BHO: Class - {2345C8ED-802B-A5E6-4EE8-68E9D4825903} - C:\WINDOWS\iedl.dll (file missing)

O2 - BHO: Class - {347BABA5-14DC-22E5-AF4E-4A9AF3B61EB6} - C:\WINDOWS\sysah32.dll (file missing)

O2 - BHO: Class - {41233F22-2AA1-AADB-3DBC-1B1DBFFA830C} - C:\WINDOWS\system32\ipqh.dll

O2 - BHO: Class - {45392883-DD1C-FC42-B1BC-75A19920AD1D} - C:\WINDOWS\appcr.dll (file missing)

O2 - BHO: Class - {4D79FC93-36BD-152F-2313-9AC23B10DFA2} - C:\WINDOWS\system32\addjy32.dll (file missing)

O2 - BHO: Class - {4F8547B7-04B0-41F9-47AE-F8C66702847B} - C:\WINDOWS\system32\netbu.dll (file missing)

O2 - BHO: Class - {56F232CB-1514-101F-ABB5-2926D33A1BD3} - C:\WINDOWS\system32\netcj32.dll (file missing)

O2 - BHO: Class - {6BE5F351-F2D2-2264-8168-8EBE5F4A77D9} - C:\WINDOWS\iedg32.dll (file missing)

O2 - BHO: Class - {78991257-E463-8759-D99F-343F395ADFB0} - C:\WINDOWS\system32\mfcvf32.dll (file missing)

O2 - BHO: Class - {831710E3-7E06-570C-3083-83DF47D1F1A7} - C:\WINDOWS\syskl32.dll (file missing)

O2 - BHO: Class - {9437408B-D5FD-DD59-F300-D15AA010E64A} - C:\WINDOWS\addvb.dll (file missing)

O2 - BHO: Class - {94DC17FE-C8EB-ED86-AD62-742602CF4E5F} - C:\WINDOWS\system32\appmo32.dll (file missing)

O2 - BHO: Class - {964D3DD2-09FB-6B41-D4A8-3F2010E2B8A5} - C:\WINDOWS\iptw.dll

O2 - BHO: Class - {A0B7B1C7-F795-C9AF-3708-B2B4A5B8699B} - C:\WINDOWS\javatl32.dll (file missing)

O2 - BHO: Class - {A83F2621-E630-7943-FD17-24FC9321228A} - C:\WINDOWS\system32\ipqh.dll

O2 - BHO: Class - {B513F19C-5C67-40E1-6FA7-165FFCD035F2} - C:\WINDOWS\ipdr.dll (file missing)

O2 - BHO: Class - {C0ABA3B1-1D31-5501-C7B5-68D02849D3DC} - C:\WINDOWS\ieor32.dll (file missing)

O2 - BHO: Class - {CFBA6A8B-141A-EFF7-2284-53A16D783BE4} - C:\WINDOWS\system32\d3qb32.dll (file missing)

O2 - BHO: Class - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)

O2 - BHO: Class - {ECDB01F4-FF73-F26C-DD86-4D5A54623E8F} - C:\WINDOWS\system32\ippw32.dll (file missing)

O2 - BHO: Class - {EFC4F699-F19A-6D2A-3A0D-DA6A6848205C} - C:\WINDOWS\ntjy.dll (file missing)

O2 - BHO: Class - {FD36CB53-F43E-C115-ED98-E1F307C77FD6} - C:\WINDOWS\ipir.dll (file missing)

O4 - HKLM\..\Run: [addtg32.exe] C:\WINDOWS\system32\addtg32.exe

O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe

O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"

O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm


After you have checked all of those, click the "Fix Checked" button.

Exit Hijack This.



* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.
  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
C:\WINDOWS\system32\addtg32.exe

C:\Program Files\TopSearch

C:\Program Files\WebRebates4

C:\WINDOWS\system32\sdkwg32.exe


Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.



* Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.



* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.



* Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.



* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.



** Restart back into Windows normally now and do the following:



* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.



* If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)



* Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.



* control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.



* IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Ok, I'm a dork, I can't find an update button to update the aboutbuster????
 
Joined
Jul 26, 2002
Messages
46,349
I see they have changed AboutBuster. It no longer has the update function.
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Flrman1 said:
I see they have changed AboutBuster. It no longer has the update function.
I felt so dumb asking! But, I am determined to follow your instructions thoroughly so I thought I had better ask!

Last night I got to this part
* If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

and had to stop, new baby, was thankful to get done what I did. I will continue on tonight when I get home from work with the next set of instructions, then post.

Thanks a HEAP!

Kindest regards,
Christine
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
OK...stuck....at the part where it says, Check in the C:|Windows|system32 folder to be sure you have a file named Shell.dll....if not go to dllcache folder....


Well, I don't see the Shell.dll in the system32 folder, AND the problem is, I can't find athe dllcache folder in the system32 folder either to get the file to copy and paste?????
 
Joined
Jul 26, 2002
Messages
46,349
You have to set your folder options to show hidden files and folders to see the shell.dll file and the dllcache folder:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Flrman1 said:
You have to set your folder options to show hidden files and folders to see the shell.dll file and the dllcache folder:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Oh poopie, I knew that! BABY BRAIN here!

Need to get back to it tomorrow after work, I hope.

Thanks Flrman, you da best!
 

cj2448

Thread Starter
Joined
Apr 25, 2004
Messages
544
Flrman1 said:
You have to set your folder options to show hidden files and folders to see the shell.dll file and the dllcache folder:

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
I can't locate this file shell.dll in the System 32 folder(I only could find shell32.dll) or in the dllcache folder, I looked several times and just can't find it :( Now what?

(I did see the control.exe in there)

EDIT: There is a shell.dll in the following places C:\I386 and C:\Windows\System


NOW...I can't get online to do scan....just posted here for help with that http://forums.techguy.org/networking/429221-working-laptop-cant-get-connect.html
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top