[help_me]

I have tried various things trying to clear my system of this problem, here is my log file, maybe you can specifically tell me what steps to take. Thanks in advance!!
Logfile of HijackThis v1.99.0
Scan saved at 3:43:30 PM, on 12/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\craz32.exe
C:\WINDOWS\system32\apizh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\OLD_C\PROGRA~1\AIM95\aim.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nozwn.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A0FBF6A7-DE21-3235-7B76-A7427D953750} - C:\WINDOWS\system32\sdksb32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [apizh.exe] C:\WINDOWS\system32\apizh.exe
O4 - HKLM\..\RunOnce: [craz32.exe] C:\WINDOWS\system32\craz32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\OLD_C\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com/....chm::/open.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\sysag.exe (file missing)

[Advertisements]

Hi help_me,and welcome to geekstogo. You have a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.

1. Obtain list of irregular services:
* Please download ServiceFilter.
* Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
* Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
* If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
* It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
* Press Ctrl + A simultaneously to select all of the text.
* Copy and paste the whole thing into your next post.
* A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[Yarnouth]

Hi help_me,and welcome to geekstogo. You have a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.

1. Obtain list of irregular services:
* Please download ServiceFilter.
* Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
* Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
* If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
* It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
* Press Ctrl + A simultaneously to select all of the text.
* Copy and paste the whole thing into your next post.
* A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[help_me]

Hi help_me,and welcome to geekstogo. You have a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.

  1. Obtain list of irregular services:
          * Please download ServiceFilter.
          * Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
          * Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
          * If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
          * It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
          * Press Ctrl + A simultaneously to select all of the text.
          * Copy and paste the whole thing into your next post.
          * A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[help_me]

Hi help_me,and welcome to geekstogo. You have a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.

  1. Obtain list of irregular services:
          * Please download ServiceFilter.
          * Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
          * Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
          * If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
          * It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
          * Press Ctrl + A simultaneously to select all of the text.
          * Copy and paste the whole thing into your next post.
          * A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[help_me]

Hi help_me,and welcome to geekstogo. You have a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.

  1. Obtain list of irregular services:
          * Please download ServiceFilter.
          * Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
          * Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
          * If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
          * It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
          * Press Ctrl + A simultaneously to select all of the text.
          * Copy and paste the whole thing into your next post.
          * A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

[help_me]

Sorry I'm being a dufus when it comes to replying. Here is the info from the script you requested me to run.
Thanks again for your help!

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
Dec 21, 2004 8:28:18 AM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\program files\avpersonal\avwupsrv.exe"
State: Running
Process ID: 1164
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service # 2
Service Name: RetroLauncher
Display Name: Retrospect Launcher
Start Mode: Auto
Start Name: LocalSystem
Description: Launches Retrospect automatically when scripts are waiting to ...
Service Type: Own Process
Path: c:\program files\dantz\retrospect\retrorun.exe
State: Running
Process ID: 1236
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: Retrospect Helper
Display Name: Retrospect Helper
Start Mode: Auto
Start Name: LocalSystem
Description: Helps Retrospect with various ...
Service Type: Own Process
Path: "c:\program files\dantz\retrospect\rthlpsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: RetroWDSvc
Display Name: Retrospect WD Service
Start Mode: Auto
Start Name: LocalSystem
Description: Provide Retrospect interface to Western Digital ...
Service Type: Own Process
Path: c:\progra~1\dantz\retros~1\wdsvc.exe
State: Running
Process ID: 1352
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #5
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{ff7f281e-4285-4383-9f65-a06acbca14c0}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: ZESOFT
Display Name: ZESOFT
Start Mode: Auto
Start Name: LocalSystem
Description: ZESoft ...
Service Type: Own Process
Path: c:\windows\zeta.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: �%AF夶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\sysag.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
7 were unrecognized.

Script Execution Time: 15.91602 seconds.