Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Cool HELP....ive been jacked!

Logfile of HijackThis v1.98.0
Scan saved at 4:06:23 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tommy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1525
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sxhzo.dll/index.html#23648
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24E085E6-A513-1BB9-B89C-40092BAEC3AE} - C:\WINDOWS\system32\addwu32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [appmp.exe] C:\WINDOWS\appmp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [sysgt.exe] C:\WINDOWS\system32\sysgt.exe
O4 - HKLM\..\RunOnce: [netxr32.exe] C:\WINDOWS\netxr32.exe
O4 - HKLM\..\RunOnce: [atlxo32.exe] C:\WINDOWS\atlxo32.exe
O4 - HKLM\..\RunOnce: [apphk.exe] C:\WINDOWS\system32\apphk.exe
O4 - HKLM\..\RunOnce: [applx32.exe] C:\WINDOWS\system32\applx32.exe
O4 - HKLM\..\RunOnce: [appjw32.exe] C:\WINDOWS\appjw32.exe
O4 - HKLM\..\RunOnce: [syswc32.exe] C:\WINDOWS\system32\syswc32.exe
O4 - HKLM\..\RunOnce: [iebx.exe] C:\WINDOWS\iebx.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\PestPatrol\ppclean.exe" clean ts:20040718151247541 suite 2 2
O4 - HKLM\..\RunOnce: [sysbz.exe] C:\WINDOWS\system32\sysbz.exe
O4 - HKLM\..\RunOnce: [netdd32.exe] C:\WINDOWS\system32\netdd32.exe
O4 - HKLM\..\RunOnce: [ipwh32.exe] C:\WINDOWS\system32\ipwh32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
Hi and welcome dabuggin1,

Dowload the following program


It should be the current version, but check for updates

Run Program cwshredder and have it fix anything it finds.

Make sure you click on the “Fix” button

Download .
About Buster

Then Unzip it to your desktop..

Next: reboot into 'SAFE MODE'. ( By tapping the F8 key on start up)
Double click AboutBuster.exe
Ignore the window that tells you to fix items in hijackthis.
Click OK, click Start, then click OK.
Save the report...Copy and Paste the report into Notepad or Word Pad .


When AboutBuster has finished ,
Reboot into normal mode. Run another hijackthis scan.
Post your HJT log and AboutBuster report to this thread, please.
Thanks for the response. Here is the info you requested:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\abefyd.dat
Removed! : C:\WINDOWS\appjw32.exe
Removed! : C:\WINDOWS\appmp.exe
Removed! : C:\WINDOWS\atlxo32.exe
Removed! : C:\WINDOWS\beepdz.dat
Removed! : C:\WINDOWS\btjwmd.dat
Removed! : C:\WINDOWS\cjywj.dat
Removed! : C:\WINDOWS\eewmg.dat
Removed! : C:\WINDOWS\epxxrg.dat
Removed! : C:\WINDOWS\hegsrj.dat
Removed! : C:\WINDOWS\hjrncm.dat
Removed! : C:\WINDOWS\iebx.exe
Removed! : C:\WINDOWS\isakyu.dat
Removed! : C:\WINDOWS\jlddrj.dat
Removed! : C:\WINDOWS\jlvfyz.dat
Removed! : C:\WINDOWS\jqromp.dat
Removed! : C:\WINDOWS\kgkdch.dat
Removed! : C:\WINDOWS\kowaep.dat
Removed! : C:\WINDOWS\kvkgta.dat
Removed! : C:\WINDOWS\lemawz.dat
Removed! : C:\WINDOWS\ljplca.dat
Removed! : C:\WINDOWS\lqbwsk.dat
Removed! : C:\WINDOWS\nbusfq.dat
Removed! : C:\WINDOWS\netxr32.exe
Removed! : C:\WINDOWS\nngqja.dat
Removed! : C:\WINDOWS\n_gwcubk.dat
Removed! : C:\WINDOWS\n_nlrxoe.dat
Removed! : C:\WINDOWS\offbz.dat
Removed! : C:\WINDOWS\ofgrpg.dat
Removed! : C:\WINDOWS\ozzme.dat
Removed! : C:\WINDOWS\ozzmeg.dat
Removed! : C:\WINDOWS\plata.dat
Removed! : C:\WINDOWS\platak.dat
Removed! : C:\WINDOWS\qhlwrv.dat
Removed! : C:\WINDOWS\qidils.dat
Removed! : C:\WINDOWS\qlmmfx.dat
Removed! : C:\WINDOWS\ruxdb.dat
Removed! : C:\WINDOWS\sgwppu.dat
Removed! : C:\WINDOWS\sleseb.dat
Removed! : C:\WINDOWS\uwbszj.dat
Removed! : C:\WINDOWS\wahxfd.dat
Removed! : C:\WINDOWS\yfopat.dat
Removed! : C:\WINDOWS\zbmtrt.dat
Removed! : C:\WINDOWS\zqqazw.dat
Removed! : C:\WINDOWS\System32\addwu32.dll
Removed! : C:\WINDOWS\System32\apphk.exe
Removed! : C:\WINDOWS\System32\applx32.exe
Removed! : C:\WINDOWS\System32\dmrse.dat
Removed! : C:\WINDOWS\System32\ipwh32.exe
Removed! : C:\WINDOWS\System32\mcufm.dat
Removed! : C:\WINDOWS\System32\netdd32.exe
Removed! : C:\WINDOWS\System32\nnzhx.dat
Removed! : C:\WINDOWS\System32\nthst32.dll
Removed! : C:\WINDOWS\System32\qcjjr.dat
Removed! : C:\WINDOWS\System32\qvfvc.dat
Removed! : C:\WINDOWS\System32\shqrx.dat
Removed! : C:\WINDOWS\System32\sysbz.exe
Removed! : C:\WINDOWS\System32\sysgt.exe
Removed! : C:\WINDOWS\System32\syswc32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

************************************************** ******

Logfile of HijackThis v1.98.0
Scan saved at 6:05:30 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Tommy\Desktop\Mike's Stuff - Do Not Delete\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24E085E6-A513-1BB9-B89C-40092BAEC3AE} - C:\WINDOWS\system32\addwu32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\PestPatrol\ppclean.exe" clean ts:20040718151247541 suite 2 2 2 2
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
Hi again dabuggin1

Please create a dedicated folder on C: and name it HJT and drag HJT into it please,

Please restart HJT put a check next to the following, close all open windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html#1525
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html#1525
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1525
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {24E085E6-A513-1BB9-B89C-40092BAEC3AE} - C:\WINDOWS\system32\addwu32.dll (file missing)

O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

Restart your computer, If you have not already done so Download CWShredder, Run CWShredder, Be sure and click on the Fix button

If you can't get it from the link I provided above go here

Post back a fresh log when you have finished please
Here is the log after following your instructions:

Logfile of HijackThis v1.98.0
Scan saved at 6:32:53 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\PestPatrol\ppclean.exe" clean ts:20040718151247541 suite 2 2 2 2 2
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Good deal, Looks clean now, Just have HJT fix this one same way as above

R3 - Default URLSearchHook is missing

Post back if you have any further problems
Thanks a million, you have been a great help!!!
Your very welcome dabuggin
