[xznfgzx]

ok so lately ive been getting popups every time i search on google. and my desktop background is now a blue screen that says "your computer is infected...." blah blah
Please help me fix it

here is my logfile
Logfile of HijackThis v1.99.1
Scan saved at 1:43:27 AM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\iewa.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\iebq32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Build to Order\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {DE10C0C2-6E08-CABB-135A-E38BB36A3958} - C:\WINDOWS\system32\apixg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [appen.exe] C:\WINDOWS\system32\appen.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [iebq32.exe] C:\WINDOWS\system32\iebq32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[Advertisements]

Your log is showing characteristics of a CoolWebSearch malware variant.

Please copy these instructions to NotePad and save them to the Desktop
for later use in Safe Mode, and proceed as follows:

Step 1:
Download AboutBuster: http://www.downloads...AboutBuster.zip
-Unzip it to a folder on the Desktop
-Double click the AboutBuster icon
-Click OK to the Read dialogue
-Click the Update button, and then select: Check for Update
Exit from the program, and do not run AboutBuster yet.

Step 2:
Please create a folder on the Desktop (Right click, select New>Folder)
-Name it: EWIDO
-Download Ewido Security Suite:
http://www.ewido.net/en/download/
-Press: Download Now
-In the folder where EWIDO is located, double click the EWIDO Setup file
Follow the prompts and reboot when done.

Now, go to Start>All Programs>EWIDO
Select: Security Suite

When the program starts, do an online update for the latest signature files
An Update Successful prompt appears when done
Do not click the Scanner button yet.

Step 3:
Next, download CWShredder
http://www.trendmicro.com/cwshredder/
-Create a folder for it, and save the file there
-Double click on the program icon
-Use the: Check for Updates option and download the latest reference files
Do not run the program yet

Step 4:
Download CleanUp40.exe to the Desktop: (about 3/4 down the page)
http://www.stevengou...p/download.html
Do not run this program yet.

Step 5:
Download [bKillbox[/b]:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Do not run it yet.

For this removal procedure to work, make sure you are off line, keep Internet Explorer closed, and perform all the steps that follow.

Step 6:
Now, reboot to Safe Mode:
-Restart your computer
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter to boot into Safe Mode

Step 7:
Run HijackThis and Scan.
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {DE10C0C2-6E08-CABB-135A-E38BB36A3958} - C:\WINDOWS\system32\apixg.dll

O4 - HKLM\..\Run: [appen.exe] C:\WINDOWS\system32\appen.exe
O4 - HKLM\..\Run: [iebq32.exe] C:\WINDOWS\system32\iebq32.exe

Now, select: Fix Checked

Step 8:
Next, enable the viewing of Hidden Files and Folders as follows:
-At your desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

Step 9:
Back on the Desktop:
-Double click the AboutBuster icon
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan

AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Step 10:
Double click the CWShredder icon to run the program
-Next, click on the: ‘Fix’ button
Follow the prompts, and press OK

Step 11:
Double-click the Cleanup! icon to run the program
-Click: Options (right side)
-In the Quick SetUp area, move the arrow to: Custom CleanUp!
-Only check the following:
--Empty Recycle Bin
--Delete Prefetch files
--Scan local drives for temporary files
--Cleanup! All Users
Click: OK

Click the CleanUp button and let the program run.
Close the program when done.

Step 12:
Run EWIDO
Click on the Scanner button in the left menu
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

Step 13:
Double-click on Killbox.exe to run it.
At the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box copy/paste the following entry:
C:\WINDOWS\jeays.dll
Press the button with a red circle and a white X (Delete File button)
KillBox will alert you the file will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Do the same for the following files:
C:\WINDOWS\system32\iewa.exe
C:\WINDOWS\system32\apixg.dll
C:\WINDOWS\system32\appen.exe
C:\WINDOWS\system32\iebq32.exe

Note: If you get the following message: "PendingFileRenameOperations Registry Data has been Removed by External Process!", just restart manually.

Step 14:
Run HijackThis and click on: Open the Misc Tools section
Click on: Open ADS Spy
Uncheck the Quick Scan box
Click the Scan button
After scanning click: Save log
Save the ADS Spy log to post in your response

Step 15:
Last, run HijackThis and Scan.


Please post the following:
The About Buster log from Step 9
The EWIDO report from step 12
The ADS Spy log from step 14
A new HijackThis log from step 15

If there is a problem with any of the steps above, please describe it in your reply.

[FZWG]

Your log is showing characteristics of a CoolWebSearch malware variant.

Please copy these instructions to NotePad and save them to the Desktop
for later use in Safe Mode, and proceed as follows:

Step 1:
Download AboutBuster: http://www.downloads...AboutBuster.zip
-Unzip it to a folder on the Desktop
-Double click the AboutBuster icon
-Click OK to the Read dialogue
-Click the Update button, and then select: Check for Update
Exit from the program, and do not run AboutBuster yet.

Step 2:
Please create a folder on the Desktop (Right click, select New>Folder)
-Name it: EWIDO
-Download Ewido Security Suite:
http://www.ewido.net/en/download/
-Press: Download Now
-In the folder where EWIDO is located, double click the EWIDO Setup file
Follow the prompts and reboot when done.

Now, go to Start>All Programs>EWIDO
Select: Security Suite

When the program starts, do an online update for the latest signature files
An Update Successful prompt appears when done
Do not click the Scanner button yet.

Step 3:
Next, download CWShredder
http://www.trendmicro.com/cwshredder/
-Create a folder for it, and save the file there
-Double click on the program icon
-Use the: Check for Updates option and download the latest reference files
Do not run the program yet

Step 4:
Download CleanUp40.exe to the Desktop: (about 3/4 down the page)
http://www.stevengou...p/download.html
Do not run this program yet.

Step 5:
Download [bKillbox[/b]:
http://www.downloads...org/KillBox.zip
Place it in a folder on the Desktop.
Extract Pocket KillBox from the zip file
Do not run it yet.

For this removal procedure to work, make sure you are off line, keep Internet Explorer closed, and perform all the steps that follow.

Step 6:
Now, reboot to Safe Mode:
-Restart your computer
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter to boot into Safe Mode

Step 7:
Run HijackThis and Scan.
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jeays.dll/sp.html#17702%resultposition.net
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {DE10C0C2-6E08-CABB-135A-E38BB36A3958} - C:\WINDOWS\system32\apixg.dll

O4 - HKLM\..\Run: [appen.exe] C:\WINDOWS\system32\appen.exe
O4 - HKLM\..\Run: [iebq32.exe] C:\WINDOWS\system32\iebq32.exe

Now, select: Fix Checked

Step 8:
Next, enable the viewing of Hidden Files and Folders as follows:
-At your desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK

Step 9:
Back on the Desktop:
-Double click the AboutBuster icon
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan

AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Step 10:
Double click the CWShredder icon to run the program
-Next, click on the: ‘Fix’ button
Follow the prompts, and press OK

Step 11:
Double-click the Cleanup! icon to run the program
-Click: Options (right side)
-In the Quick SetUp area, move the arrow to: Custom CleanUp!
-Only check the following:
--Empty Recycle Bin
--Delete Prefetch files
--Scan local drives for temporary files
--Cleanup! All Users
Click: OK

Click the CleanUp button and let the program run.
Close the program when done.

Step 12:
Run EWIDO
Click on the Scanner button in the left menu
Next, click on: Complete System Scan

The scan may find malware entries and request action to clean up. Agree.
However, if EWIDO finds something that you know is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), do not check: Perform action with all infections. If you are unsure of an entry, select None as the action for the time being.

Once the scan has completed, click: Save Report
Save the report to the EWIDO folder

Step 13:
Double-click on Killbox.exe to run it.
At the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box copy/paste the following entry:
C:\WINDOWS\jeays.dll
Press the button with a red circle and a white X (Delete File button)
KillBox will alert you the file will be deleted on next reboot, click Yes
When asked to Reboot, select Yes

Do the same for the following files:
C:\WINDOWS\system32\iewa.exe
C:\WINDOWS\system32\apixg.dll
C:\WINDOWS\system32\appen.exe
C:\WINDOWS\system32\iebq32.exe

Note: If you get the following message: "PendingFileRenameOperations Registry Data has been Removed by External Process!", just restart manually.

Step 14:
Run HijackThis and click on: Open the Misc Tools section
Click on: Open ADS Spy
Uncheck the Quick Scan box
Click the Scan button
After scanning click: Save log
Save the ADS Spy log to post in your response

Step 15:
Last, run HijackThis and Scan.


Please post the following:
The About Buster log from Step 9
The EWIDO report from step 12
The ADS Spy log from step 14
A new HijackThis log from step 15

If there is a problem with any of the steps above, please describe it in your reply.