Problem: Hijacked, Spyware and Google

Inde · May 30, 2005

I have two main problems that I need help with.

Awhile back I got blasted by spyware I think this may be the cause of my problem but I'm not sure. Anyway, I cannot use google anymore. I go to google.com and type in a word and hit the button. It takes me to results that are only links to advertisements. The normal results that are actually relevant to the word I typed are no longer there. Plus when I click on the images link it does nothing. The only thing it does is put a # sign on the end of the URL in the address bar. It does this for all the links ontop of the search bar (froogle, news, groups, etc). I have used AdAware, Kapersky, SpybotSD and AVG virus scanner but none of them are helping. I also cannot goto my gmail account. I use firefox and when I try to go to gmail I get a message that says "The connection was refused when attempting to connect to www.google.com".

Second problem is that my desktop has been hijacked. A few days ago an image replaced my wallpaper that said something like "warning: You are infected. blah blah blah click here to find out how to remove it". I didn't click on the link cuz I know that would be trouble. When I right clicked on my desktop and selected properties it said that my desktop was an html file. So I searched my computer and found the html file that it was and deleted it. Now the screen is completely white with no message or anything but when you move your cursor onto it it turns grey and when you go off onto the taskbar it turns white again. Again, I have used AdAware, Kapersky, SpybotSD and AVG virus scanner but none of them are helping.

All of this was a result of using Internet Explorer. I haven't had any problems since I switched over to Firefox. I have ran those programs to get rid of some of this stuff and I think I got a lot of it out. But I'm afraid to test it and get back on IE because I'm afraid I'll get infected again.

Can anyone help me?

php · May 30, 2005

ok, to start out, upload C:WINDOWSSYSTEM32DRIVERSETChosts so I can have a look a that... I would suspect that is the cause of everything...

cak46 · May 30, 2005

Could you also run the attached program, hijackthis and post the results? Some spyware, viruses, etc. can be difficult, it. just reinstalls itself on reboot.

php · May 30, 2005

thanx for uploading that cak46... i was looking for my copy... yea, run that and paste the log here...

peepnklown · May 30, 2005

You probably want to run the above in Safe-Mode. (with networking if you have the option)

Inde · May 31, 2005

I couldn't get the computer to start in safe mode. The instructions in the windows help didn't...help.

Here is the host file

213.219.251.78 www.google.com

213.219.251.78 google.com

213.219.251.78 www.google.co.uk

213.219.251.78 google.co.uk

213.219.251.78 www.google.ca

213.219.251.78 google.ca

213.219.251.78 www.google.es

213.219.251.78 google.es

213.219.251.78 www.google.de

213.219.251.78 google.de

213.219.251.78 www.google.fr

213.219.251.78 google.fr

213.219.251.78 www.google.com.au

213.219.251.78 google.com.au

213.219.251.79 www.yahoo.com

213.219.251.79 yahoo.com

66.218.75.184 mail.yahoo.com

213.219.251.81 astalavista.com

213.219.251.81 www.astalavista.com

213.219.251.81 astalavista.box.sk

213.219.251.81 www.astalavista.box.sk

213.219.251.81 cracks.com

213.219.251.81 www.cracks.com

213.219.251.80 www.msn.com

213.219.251.80 msn.com

213.219.251.80 search.msn.com

213.219.251.80 www.search.msn.com

213.219.251.80 go.com

213.219.251.80 www.go.com

# Start of entries inserted by Spybot - Search & Destroy

# End of entries inserted by Spybot - Search & Destroy

Here is the Hijacked file

Logfile of HijackThis v1.99.1

Scan saved at 7:10:03 PM, on 5/30/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:WINNTSystem32smss.exe

C:WINNTsystem32winlogon.exe

C:WINNTsystem32services.exe

C:WINNTsystem32lsass.exe

C:WINNTsystem32Ati2evxx.exe

C:WINNTsystem32svchost.exe

C:WINNTSystem32svchost.exe

C:WINNTsystem32spoolsv.exe

C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe

C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe

C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe

C:WINNTsystem32Ati2evxx.exe

C:WINNTExplorer.EXE

C:Program FilesCommon FilesSymantec SharedccApp.exe

C:Program FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe

C:WINNTsystem32CTHELPER.EXE

C:WINNTGWMDMMSG.exe

C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe

C:Program FilesCommon FilesRealUpdate_OBrealsched.exe

C:Program FilesQuickTimeqttask.exe

C:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

C:Program FilesJavaj2re1.4.2_05binjusched.exe

C:Program FilesViewpointViewpoint ManagerViewMgr.exe

C:PROGRA~1GrisoftAVGFRE~1avgcc.exe

C:PROGRA~1GrisoftAVGFRE~1avgemc.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesAWSWeatherBugWeather.exe

C:Program FilesATI TechnologiesATI.ACECLI.exe

C:Program FileseFax Messenger 3.4J2GDllCmd.exe

C:Program FileseFax Messenger 3.4J2GTray.exe

C:Program FilesSupport.combintgcmd.exe

C:WINNTsystem32wuauclt.exe

C:Program FilesHijackthisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.top20results.com/

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.comcast.net

R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Search_URL = http://www.searchv.com/w/search.html

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O1 - Hosts: 213.219.251.78 www.google.com

O1 - Hosts: 213.219.251.78 google.com

O1 - Hosts: 213.219.251.78 www.google.co.uk

O1 - Hosts: 213.219.251.78 google.co.uk

O1 - Hosts: 213.219.251.78 www.google.ca

O1 - Hosts: 213.219.251.78 google.ca

O1 - Hosts: 213.219.251.78 www.google.es

O1 - Hosts: 213.219.251.78 google.es

O1 - Hosts: 213.219.251.78 www.google.de

O1 - Hosts: 213.219.251.78 google.de

O1 - Hosts: 213.219.251.78 www.google.fr

O1 - Hosts: 213.219.251.78 google.fr

O1 - Hosts: 213.219.251.78 www.google.com.au

O1 - Hosts: 213.219.251.78 google.com.au

O1 - Hosts: 213.219.251.79 www.yahoo.com

O1 - Hosts: 213.219.251.79 yahoo.com

O1 - Hosts: 66.218.75.184 mail.yahoo.com

O1 - Hosts: 213.219.251.81 astalavista.com

O1 - Hosts: 213.219.251.81 www.astalavista.com

O1 - Hosts: 213.219.251.81 astalavista.box.sk

O1 - Hosts: 213.219.251.81 www.astalavista.box.sk

O1 - Hosts: 213.219.251.81 cracks.com

O1 - Hosts: 213.219.251.81 www.cracks.com

O1 - Hosts: 213.219.251.80 www.msn.com

O1 - Hosts: 213.219.251.80 msn.com

O1 - Hosts: 213.219.251.80 search.msn.com

O1 - Hosts: 213.219.251.80 www.search.msn.com

O1 - Hosts: 213.219.251.80 go.com

O1 - Hosts: 213.219.251.80 www.go.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat

5.0ReaderActiveXAcroIEHelper.ocx

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%azentretien.dll (file missing)

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:Program FilesMicrosoft MoneySystemmnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint

ToolbarViewBarBHO.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll

O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:WINNTsystem32azesearch4.dll

O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:WINNTsystem32iasada.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:WINNTsystem32azesearch4.dll

O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"

O4 - HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"

O4 - HKLM..Run: [AdaptecDirectCD] "C:Program FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"

O4 - HKLM..Run: [CTHelper] CTHELPER.EXE

O4 - HKLM..Run: [updReg] C:WINNTUpdReg.EXE

O4 - HKLM..Run: [Jet Detection] C:Program FilesCreativeSBAudigyPROGRAMADGJDet.exe

O4 - HKLM..Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM..Run: [GWMDMpi] C:WINNTGWMDMpi.exe

O4 - HKLM..Run: [Microsoft Works Update Detection] C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [bJCFD] C:Program FilesBroadJumpClient FoundationCFD.exe

O4 - HKLM..Run: [ComcastSUPPORT] C:Program FilesSupport.combintgkill.exe /cleaneahtioga /start

O4 - HKLM..Run: [mmtask] C:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

O4 - HKLM..Run: [AceGain LiveUpdate] C:Program FilesAceGainLiveUpdateLiveUpdate.exe

O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_05binjusched.exe

O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe

O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP

O4 - HKLM..Run: [AVG7_EMC] C:PROGRA~1GrisoftAVGFRE~1avgemc.exe

O4 - HKLM..Run: [ATICCC] "C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime

O4 - HKLM..Run: [0b5j7084] C:WINNTsystem320b5j7084.exe

O4 - HKLM..Run: [userFaultCheck] %systemroot%system32dumprep 0 -u

O4 - HKCU..Run: [Weather] C:Program FilesAWSWeatherBugWeather.exe 1

O4 - HKCU..Run: [intel system tool] C:WINNTsystem32winnook.exe

O4 - Startup: eFax Live Menu 3.4.lnk = C:Program FileseFax Messenger 3.4J2GDllCmd.exe

O4 - Startup: eFax Tray Menu 3.4.lnk = C:Program FileseFax Messenger 3.4J2GTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:Program FilesATI TechnologiesATI.ACECLI.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:Program FilesViewpointViewpoint

ToolbarViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTSystem32msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTSystem32msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIM95aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program FilesPartyPokerPartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:Program

FilesPartyPokerPartyPoker.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:Program FilesICQLiteICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:Program FilesICQLiteICQLite.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:Program FilesMicrosoft

MoneySystemmnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program

FilesMessengermsmsgs.exe

O9 - Extra button: Support - {422EBA37-4B61-4334-AEFB-2D6C1F69EB1C} - http://www.comcastsupport.com (file missing)

(HKCU)

O9 - Extra button: Help - {5F41EF1D-18EC-4997-826D-A67B9E543E51} - http://www.comcast.net/memberservices/ (file missing)

(HKCU)

O9 - Extra button: ComcastHSI - {75EB1CB9-8518-4B80-A91F-6C72A04BE462} - http://www.comcast.net (file missing) (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:Program FilesAWSWeatherBugWeather.exe

(HKCU)

O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) -

http://playroom2.icq.oberon-media.com/odyssey_web8.cab

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -

http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch3.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) -

http://xtraz.icq.com/xtraz/activex/MISBH.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINNTsystem32Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:WINNTsystem32ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec

SharedccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon

FilesSymantec SharedccPwdSvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:Program FilesNorton

AntiVirusnavapsvc.exe

O23 - Service: PictureTaker - Unknown owner - c:fixitptPCTKRNT.SYS (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe

cak46 · May 31, 2005

Shut down your machine then hit the power button to restart it. As soon as you do this and the BIOS post information starts appearing, start hitting the F* key. If you get a keyboard error, shut down, start powering up again but wait a second to let the hardware initialize. This should bring up a menu, one of which is Safe Mode. Do your scans from here, but make sure you update the definitions files for both adaware and spybot. After scanning, as a quick try, without deleting registry entires, rename you hosts file to hosts.bak and reboot then try google again. Looks like your requests for google, etc. are being redirected to a different server via your old hosts file. I'll leave the rest with PHP, since he seems to have seen this before. (If you have trouble with the hosts filename change,, just rename your hosts.bak file to hosts and reboot).

peepnklown · May 31, 2005

The newest Ad-aware will clean out your host-file.

php · May 31, 2005

yea, or just delete all the entries in the host file... thats really bad man... there should be little to nothing there...

213.219.251.78:

OrgName: RIPE Network Coordination Centre

OrgID: RIPE

Address: P.O. Box 10096

City: Amsterdam

StateProv:

PostalCode: 1001EB

Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 213.0.0.0 - 213.255.255.255

CIDR: 213.0.0.0/8

NetName: RIPE-213

NetHandle: NET-213-0-0-0-1

Parent:

NetType: Allocated to RIPE NCC

NameServer: NS-PRI.RIPE.NET

NameServer: NS3.NIC.FR

NameServer: SUNIC.SUNET.SE

NameServer: AUTH00.NS.UU.NET

NameServer: SEC1.APNIC.NET

NameServer: SEC3.APNIC.NET

NameServer: TINNIE.ARIN.NET

Comment: These addresses have been further assigned to users in

Comment: the RIPE NCC region. Contact information can be found in

Comment: the RIPE database at http://www.ripe.net/whois

RegDate:

Updated: 2004-03-16

66.218.75.184:

OrgName: Yahoo!

OrgID: YAOO

Address: 701 First Ave

City: Sunnyvale

StateProv: CA

PostalCode: 94089

Country: US

NetRange: 66.218.64.0 - 66.218.95.255

CIDR: 66.218.64.0/19

NetName: A-YAHOO-U23

NetHandle: NET-66-218-64-0-1

Parent: NET-66-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.YAHOO.COM

NameServer: NS2.YAHOO.COM

NameServer: NS3.YAHOO.COM

NameServer: NS4.YAHOO.COM

NameServer: NS5.YAHOO.COM

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

RegDate: 2002-01-15

Updated: 2002-06-27

the Yahoo one looks real, the rest are probably the cause of your problems... as for the HijackThis log... I'll go through that and post back what you should get rid of... thats a REALLY long log... (mine doesn't even fill up 2/3 of my screen...)

php · May 31, 2005

Ok, first of all, uninstall all of the Norton and Symantec stuff... then reboot...

Theres a couple files I would like you to zip and upload so I can scan them:

C:WINNTsystem32CTHELPER.EXE

C:WINNTGWMDMMSG.exe

C:WINNTsystem32wuauclt.exe

C:WINNTExplorer.EXE

C:WINNTUpdReg.EXE

Then, entries to remove: (some of them if they still exist after uninstalling Norton...)

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.top20results.com/

R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Search_URL = http://www.searchv.com/w/search.html

All the hosts stuff...

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%azentretien.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll

O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:WINNTsystem32azesearch4.dll

O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:WINNTsystem32iasada.dll

O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:WINNTsystem32azesearch4.dll

O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"

O4 - HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"

O4 - HKLM..Run: [CTHelper] CTHELPER.EXE

O4 - HKLM..Run: [updReg] C:WINNTUpdReg.EXE

O4 - HKLM..Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM..Run: [GWMDMpi] C:WINNTGWMDMpi.exe

O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [mmtask] C:Program FilesMusicMatchMusicMatch Jukeboxmmtask.exe

O4 - HKLM..Run: [AceGain LiveUpdate] C:Program FilesAceGainLiveUpdateLiveUpdate.exe

O4 - HKLM..Run: [0b5j7084] C:WINNTsystem320b5j7084.exe

O4 - HKLM..Run: [userFaultCheck] %systemroot%system32dumprep 0 -u (I'm wondering about this one... it looks quite suspicious...)

O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:Program FilesNorton AntiVirusnavapsvc.exe

O23 - Service: PictureTaker - Unknown owner - c:fixitptPCTKRNT.SYS (file missing)

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:PROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe

I would recommend getting rid of all of the following stuff...

O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.Comcast.net

O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8000/java/cr.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2AB65D8C-517B-4830-BDD9-5530A9D9ECA2} (Tax$imple) - https://www.taxsimple.com/citrix/tax$imple.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom2.icq.oberon-media.com/odyssey_web8.cab

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch3.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab

Then, reboot, run HijackThis again, and post the log.

Stank_Ho · May 31, 2005

Inde, here's a link on how to actually read a Hijckthis log. Qiute helpful.

http://www.aumha.org/a/hjttutor.php

Inde · May 31, 2005

Thanks for all your help so far guys. I deleted all my host files. I also deleted those Hijack files that you said I should.

Here is the new log for hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 3:49:38 PM, on 5/31/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:WINNTSystem32smss.exe

C:WINNTsystem32winlogon.exe

C:WINNTsystem32services.exe

C:WINNTsystem32lsass.exe

C:WINNTsystem32Ati2evxx.exe

C:WINNTsystem32svchost.exe

C:WINNTSystem32svchost.exe

C:WINNTsystem32spoolsv.exe

C:WINNTsystem32Ati2evxx.exe

C:WINNTExplorer.EXE

C:Program FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe

C:Program FilesCommon FilesMicrosoft SharedWorks SharedWkUFind.exe

C:Program FilesJavaj2re1.4.2_05binjusched.exe

C:Program FilesViewpointViewpoint ManagerViewMgr.exe

C:PROGRA~1GrisoftAVGFRE~1avgcc.exe

C:PROGRA~1GrisoftAVGFRE~1avgemc.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesAWSWeatherBugWeather.exe

C:Program FilesATI TechnologiesATI.ACECLI.exe

C:Program FileseFax Messenger 3.4J2GDllCmd.exe

C:Program FileseFax Messenger 3.4J2GTray.exe

C:Program FilesSupport.combintgcmd.exe

C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe

C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe

C:WINNTSystem32wbemwmiapsrv.exe

C:WINNTsystem32NOTEPAD.EXE

C:WINNTsystem32wuauclt.exe

C:Program FilesHijackthisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.comcast.net

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Comcast

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O1 - Hosts: 66.218.75.184 mail.yahoo.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:Program FilesMicrosoft MoneySystemmnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint ToolbarViewBarBHO.dll