[curiousyello]

I followed all the generic directions on this site, which helped remove a lot of malware - although I was unable to run an online Trend Mico Housecall due to persistent IE crashes. I also have Windows XP Service Pack 2 installed, although I may have installed it after a serious malware infection. I am still plagued by the about:blank IE hijacker and an "Only the Best" popup adware problem. Here's my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 5:55:46 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netij32.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\addzo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Blair\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {006037F9-A004-367C-C7FB-9C0C131CA3DF} - C:\WINDOWS\system32\sdkng.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1017A24B-257D-16EF-4FEE-A6CD064A88D5} - C:\WINDOWS\addyy.dll (file missing)
O2 - BHO: Class - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipcg32.dll (file missing)
O2 - BHO: Class - {1F9DCEC4-64A8-44CC-446E-C8AF24D627C3} - C:\WINDOWS\system32\sdkhx.dll (file missing)
O2 - BHO: Class - {30D6993A-6A35-373B-3E6E-B557CAEF0E58} - C:\WINDOWS\system32\crld32.dll (file missing)
O2 - BHO: Class - {417FD62A-EA0C-1E8B-3C09-60E3940408B0} - C:\WINDOWS\addql.dll (file missing)
O2 - BHO: Class - {4A9658C3-7A94-7CD6-6993-5AEA0089AA13} - C:\WINDOWS\iezd.dll (file missing)
O2 - BHO: Class - {4B7CEBA7-8FF2-5B84-A513-BFA178B13DEE} - C:\WINDOWS\system32\msxb32.dll (file missing)
O2 - BHO: Class - {5FD260CC-B589-0058-5A1A-E588B80E3426} - C:\WINDOWS\system32\mstu.dll (file missing)
O2 - BHO: Class - {767C3BCA-1931-C2D3-5152-1EAC589AADF7} - C:\WINDOWS\system32\mfchd.dll (file missing)
O2 - BHO: Class - {793699E0-D730-8772-E455-586B27DEE4F5} - C:\WINDOWS\system32\appsr32.dll (file missing)
O2 - BHO: Class - {8849FD03-210F-3BC3-0713-DAC7CE7DD7AA} - C:\WINDOWS\d3eq.dll
O2 - BHO: Class - {8F3AD9AB-7DFD-A5AF-23F0-F6986A9DB089} - C:\WINDOWS\system32\msmm32.dll (file missing)
O2 - BHO: Class - {BA66C889-E5A1-C7F2-38A0-D7C16991F3E6} - C:\WINDOWS\system32\sdkav.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D15B880A-A0B5-77A6-C441-CC0784878A9A} - C:\WINDOWS\system32\netaj32.dll (file missing)
O2 - BHO: Class - {F75E935C-460C-2FD8-E0A7-B79321EBB7C0} - C:\WINDOWS\ipdn32.dll (file missing)
O2 - BHO: Class - {FA83F041-A1A7-96E9-9A0F-5BFEC18C399D} - C:\WINDOWS\system32\apiir32.dll (file missing)
O2 - BHO: Class - {FD4A74BF-5712-24E2-4DA7-6711D4FD291B} - C:\WINDOWS\system32\crwf32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [criq32.exe] C:\WINDOWS\system32\criq32.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [mfckz.exe] C:\WINDOWS\mfckz.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [netgu.exe] C:\WINDOWS\system32\netgu.exe
O4 - HKLM\..\Run: [crxh32.exe] C:\WINDOWS\system32\crxh32.exe
O4 - HKLM\..\Run: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
O4 - HKLM\..\Run: [addzo.exe] C:\WINDOWS\system32\addzo.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127365919900
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{574D842E-3A1E-4488-903D-74D0FAF62CEE}: NameServer = 216.21.129.22,216.21.128.22
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netij32.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Welcome to GTG.

Not a good idea. If you still have stability problems after we declare your log clean, I suggest uninstalling SP2 and then reinstalling it. Otherwise, leave it alone

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Download cwsserviceremove http://www.greyknigh...rviceremove.zip and unzip it to your desktop. Don't run it yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dohge.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {006037F9-A004-367C-C7FB-9C0C131CA3DF} - C:\WINDOWS\system32\sdkng.dll (file missing)
O2 - BHO: Class - {1017A24B-257D-16EF-4FEE-A6CD064A88D5} - C:\WINDOWS\addyy.dll (file missing)
O2 - BHO: Class - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipcg32.dll (file missing)
O2 - BHO: Class - {1F9DCEC4-64A8-44CC-446E-C8AF24D627C3} - C:\WINDOWS\system32\sdkhx.dll (file missing)
O2 - BHO: Class - {30D6993A-6A35-373B-3E6E-B557CAEF0E58} - C:\WINDOWS\system32\crld32.dll (file missing)
O2 - BHO: Class - {417FD62A-EA0C-1E8B-3C09-60E3940408B0} - C:\WINDOWS\addql.dll (file missing)
O2 - BHO: Class - {4A9658C3-7A94-7CD6-6993-5AEA0089AA13} - C:\WINDOWS\iezd.dll (file missing)
O2 - BHO: Class - {4B7CEBA7-8FF2-5B84-A513-BFA178B13DEE} - C:\WINDOWS\system32\msxb32.dll (file missing)
O2 - BHO: Class - {5FD260CC-B589-0058-5A1A-E588B80E3426} - C:\WINDOWS\system32\mstu.dll (file missing)
O2 - BHO: Class - {767C3BCA-1931-C2D3-5152-1EAC589AADF7} - C:\WINDOWS\system32\mfchd.dll (file missing)
O2 - BHO: Class - {793699E0-D730-8772-E455-586B27DEE4F5} - C:\WINDOWS\system32\appsr32.dll (file missing)
O2 - BHO: Class - {8849FD03-210F-3BC3-0713-DAC7CE7DD7AA} - C:\WINDOWS\d3eq.dll
O2 - BHO: Class - {8F3AD9AB-7DFD-A5AF-23F0-F6986A9DB089} - C:\WINDOWS\system32\msmm32.dll (file missing)
O2 - BHO: Class - {BA66C889-E5A1-C7F2-38A0-D7C16991F3E6} - C:\WINDOWS\system32\sdkav.dll (file missing)
O2 - BHO: Class - {D15B880A-A0B5-77A6-C441-CC0784878A9A} - C:\WINDOWS\system32\netaj32.dll (file missing)
O2 - BHO: Class - {F75E935C-460C-2FD8-E0A7-B79321EBB7C0} - C:\WINDOWS\ipdn32.dll (file missing)
O2 - BHO: Class - {FA83F041-A1A7-96E9-9A0F-5BFEC18C399D} - C:\WINDOWS\system32\apiir32.dll (file missing)
O2 - BHO: Class - {FD4A74BF-5712-24E2-4DA7-6711D4FD291B} - C:\WINDOWS\system32\crwf32.dll (file missing)
O4 - HKLM\..\Run: [criq32.exe] C:\WINDOWS\system32\criq32.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [mfckz.exe] C:\WINDOWS\mfckz.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [netgu.exe] C:\WINDOWS\system32\netgu.exe
O4 - HKLM\..\Run: [crxh32.exe] C:\WINDOWS\system32\crxh32.exe
O4 - HKLM\..\Run: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
O4 - HKLM\..\Run: [addzo.exe] C:\WINDOWS\system32\addzo.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netij32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\dohge.dll
C:\WINDOWS\d3eq.dll
C:\WINDOWS\system32\sdkav.dll
C:\WINDOWS\system32\netaj32.dll
C:\WINDOWS\ipdn32.dll
C:\WINDOWS\system32\apiir32.dll
C:\WINDOWS\system32\crwf32.dll
C:\WINDOWS\system32\criq32.exe
C:\WINDOWS\mfckz.exe
C:\WINDOWS\system32\netgu.exe
C:\WINDOWS\system32\crxh32.exe
C:\WINDOWS\system32\ielj32.exe
C:\WINDOWS\system32\addzo.exe
C:\WINDOWS\system32\netij32.exe

Run cwsserviceremove.reg now and choose Yes to add it to the registry.

Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Welcome to GTG.

Not a good idea. If you still have stability problems after we declare your log clean, I suggest uninstalling SP2 and then reinstalling it. Otherwise, leave it alone

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Download cwsserviceremove http://www.greyknigh...rviceremove.zip and unzip it to your desktop. Don't run it yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dohge.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dohge.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dohge.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {006037F9-A004-367C-C7FB-9C0C131CA3DF} - C:\WINDOWS\system32\sdkng.dll (file missing)
O2 - BHO: Class - {1017A24B-257D-16EF-4FEE-A6CD064A88D5} - C:\WINDOWS\addyy.dll (file missing)
O2 - BHO: Class - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipcg32.dll (file missing)
O2 - BHO: Class - {1F9DCEC4-64A8-44CC-446E-C8AF24D627C3} - C:\WINDOWS\system32\sdkhx.dll (file missing)
O2 - BHO: Class - {30D6993A-6A35-373B-3E6E-B557CAEF0E58} - C:\WINDOWS\system32\crld32.dll (file missing)
O2 - BHO: Class - {417FD62A-EA0C-1E8B-3C09-60E3940408B0} - C:\WINDOWS\addql.dll (file missing)
O2 - BHO: Class - {4A9658C3-7A94-7CD6-6993-5AEA0089AA13} - C:\WINDOWS\iezd.dll (file missing)
O2 - BHO: Class - {4B7CEBA7-8FF2-5B84-A513-BFA178B13DEE} - C:\WINDOWS\system32\msxb32.dll (file missing)
O2 - BHO: Class - {5FD260CC-B589-0058-5A1A-E588B80E3426} - C:\WINDOWS\system32\mstu.dll (file missing)
O2 - BHO: Class - {767C3BCA-1931-C2D3-5152-1EAC589AADF7} - C:\WINDOWS\system32\mfchd.dll (file missing)
O2 - BHO: Class - {793699E0-D730-8772-E455-586B27DEE4F5} - C:\WINDOWS\system32\appsr32.dll (file missing)
O2 - BHO: Class - {8849FD03-210F-3BC3-0713-DAC7CE7DD7AA} - C:\WINDOWS\d3eq.dll
O2 - BHO: Class - {8F3AD9AB-7DFD-A5AF-23F0-F6986A9DB089} - C:\WINDOWS\system32\msmm32.dll (file missing)
O2 - BHO: Class - {BA66C889-E5A1-C7F2-38A0-D7C16991F3E6} - C:\WINDOWS\system32\sdkav.dll (file missing)
O2 - BHO: Class - {D15B880A-A0B5-77A6-C441-CC0784878A9A} - C:\WINDOWS\system32\netaj32.dll (file missing)
O2 - BHO: Class - {F75E935C-460C-2FD8-E0A7-B79321EBB7C0} - C:\WINDOWS\ipdn32.dll (file missing)
O2 - BHO: Class - {FA83F041-A1A7-96E9-9A0F-5BFEC18C399D} - C:\WINDOWS\system32\apiir32.dll (file missing)
O2 - BHO: Class - {FD4A74BF-5712-24E2-4DA7-6711D4FD291B} - C:\WINDOWS\system32\crwf32.dll (file missing)
O4 - HKLM\..\Run: [criq32.exe] C:\WINDOWS\system32\criq32.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [mfckz.exe] C:\WINDOWS\mfckz.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\Blair\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [netgu.exe] C:\WINDOWS\system32\netgu.exe
O4 - HKLM\..\Run: [crxh32.exe] C:\WINDOWS\system32\crxh32.exe
O4 - HKLM\..\Run: [ielj32.exe] C:\WINDOWS\system32\ielj32.exe
O4 - HKLM\..\Run: [addzo.exe] C:\WINDOWS\system32\addzo.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netij32.exe" /s (file missing)

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\dohge.dll
C:\WINDOWS\d3eq.dll
C:\WINDOWS\system32\sdkav.dll
C:\WINDOWS\system32\netaj32.dll
C:\WINDOWS\ipdn32.dll
C:\WINDOWS\system32\apiir32.dll
C:\WINDOWS\system32\crwf32.dll
C:\WINDOWS\system32\criq32.exe
C:\WINDOWS\mfckz.exe
C:\WINDOWS\system32\netgu.exe
C:\WINDOWS\system32\crxh32.exe
C:\WINDOWS\system32\ielj32.exe
C:\WINDOWS\system32\addzo.exe
C:\WINDOWS\system32\netij32.exe

Run cwsserviceremove.reg now and choose Yes to add it to the registry.

Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and run a new HijackThis scan. Save the log file and post it here.

[curiousyello]

Thanks for the quick reply!

I had already run CWSshredder but I ran it again. It indicated that CWS.homesearch was REMOVED. It said to reboot and run it again and I did with exactly the same results.

I downloaded and unzipped AboutBuster to a desktop folder. When I clicked on the Update button I got a message that said AboutBuster - Run-time error '5': Invalid procedure call or argument.

Should I continue with the procedure or is there something else I should do now?

[greyknight17]

I need to fix that part of my speech up. Don't run the update for AboutBuster...seems like it's a problem whenever the site is down. You must restart to run AboutBuster again if you got the error 5...shouldn't matter since you need to boot into Safe Mode anyway

Continue with the fix (skip the update part).

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[admin]

Re-opened at topic starter's request.

[curiousyello]

Thanks for reopening the post.

I downloaded and ran CWShredder which found and removed CWSearch.

When I unzipped and ran Aboutbuster a curious thing happened: my CD burning software (Ahead Nero) opened automatically several times. As this wasn't what I expected, I immediately closed the window each time as soon as it opened. Then when I went to backup some files to CD I found that the Nero software was no longer available through the Start / All Programs menu. I can still find it by looking through C / Program Files / Ahead Nero but it asks me to register it again before it will open.

The problem is that I still have the original software disc that came with the Sony CD burner/DVD player but don't have the serial number so can't use the burner to backup anything. Interestingly I recently had the hard drive redone and Windows XP reinstalled and was able to install Nero from the disc without using the serial number. I'm reluctant to finish the rest of the malware removal until I solve this problem as I can't back up anything externally. Should I uninstall the Nero software and try to reinstall it? It came with DVD playing software which still works and I'm reluctant to risk losing it too. Also should I backup ALL documents and files to disc before completing the process?

Thanks.

[curiousyello]

Thanks! It all seems to have worked. Here are the logs:
AboutBuster 5.0 reference file 31
Scan started on [10/17/2005] at [1:56:12 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\hknbr.dat
Removed File! : C:\Windows\hwxdh.dat
Removed File! : C:\Windows\jakse.dat
Removed File! : C:\Windows\peepy.dat
Removed File! : C:\Windows\System32\kmquo.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:58:12 PM


AboutBuster 5.0 reference file 31
Scan started on [11/1/2005] at [8:11:09 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:12:17 PM


Logfile of HijackThis v1.99.1
Scan saved at 9:05:22 PM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Blair\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127365919900
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{574D842E-3A1E-4488-903D-74D0FAF62CEE}: NameServer = 216.21.129.22,216.21.128.22
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks!

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.