hijacked browser problem

Discussion in 'Windows Desktop Systems' started by Striker, Sep 4, 2004.

  1. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    CWS hijacked browser

    I think it was originaly CWS that brought this problem on, but I got rid of CWS (or so i think) and my browser is still hijacked with loads of pop-ups. I've run ad-aware and spybot with most recent update - in safe mode and with system restore turned off - and deleted everything, and used CWShredder which doesn't detect anything, checked my add/remove programs and did a quick check through my registry (but only in a few obvious places). Here's my hijackthis log (i cleaned it up a bit) after doing that. Anyways, if anyone notices anything in there or has any other suggestions, let me know, thanks.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rcyzu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {44BECE92-B7DC-E0A5-2FC8-910FBA5C21AE} - C:\WINDOWS\sdkjk32.dll
    O2 - BHO: (no name) - {4795EA25-74E9-7E95-03BE-DC98B0410A5B} - C:\WINDOWS\system32\addkn.dll
    O2 - BHO: (no name) - {8BEFC88D-7F02-A4AA-BECE-E1797DB4DAC6} - C:\WINDOWS\system32\crpu32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
    O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
    O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
     
  2. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    well, i suppose also if you've read this and those all seem pretty normal let me know too, I'd rather not take the easy way out and reformat.

    if no one says other-wise i think i'll just take my chances and delete all the R coded logs.
     
  3. Scott Thomas

    Scott Thomas r3bel.4.ever

    Messages:
    10
    Location:
    Amarillo, TX
    Well heres the thing...I had the exact same problem...there is a running process, which is a trojan, which just basicly takes you to on website repeatedly and d/l malcious software onto your HD. I ended up having to format...big pain in the arse.
     
  4. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  5. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    thanks for replying, here's the HJ log and the output of the program you linked to.

    --------------------------------------

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\javahr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TDispVol.exe
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\mfcbr32.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Ghrone\Ghrone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Rainlander\Rainlendar.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Windows Media Player\WMPLAYER.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\downloaded\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3202B39B-A35B-BCEE-9DB0-68ED2C239785} - C:\WINDOWS\system32\crgy.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe
    O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
    O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlander\Rainlendar.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    --------------------------------------

    REMOTE PROCEDURE CALL (RPC) HELPER: O?’ŽrtñåȲ$Ó
    C:\WINDOWS\system32\javahr32.exe /s

    APPLICATION LAYER GATEWAY SERVICE: ALG
    C:\WINDOWS\System32\alg.exe

    WINDOWS AUDIO: AudioSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COMPUTER BROWSER: Browser
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    CRYPTOGRAPHIC SERVICES: CryptSvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    DHCP CLIENT: Dhcp
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    ERROR REPORTING SERVICE: ERSvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COM+ EVENT SYSTEM: EventSystem
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    HELP AND SUPPORT: helpsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    INFRARED MONITOR: Irmon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SERVER: lanmanserver
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WORKSTATION: lanmanworkstation
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    MESSENGER: Messenger
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK CONNECTIONS: Netman
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK LOCATION AWARENESS (NLA): Nla
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS AUTO CONNECTION MANAGER: RasAuto
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS CONNECTION MANAGER: RasMan
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TASK SCHEDULER: Schedule
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SECONDARY LOGON: seclogon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM EVENT NOTIFICATION: SENS
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SHELL HARDWARE DETECTION: ShellHWDetection
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM RESTORE SERVICE: srservice
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TELEPHONY: TapiSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TERMINAL SERVICES: TermService
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    THEMES: Themes
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DISTRIBUTED LINK TRACKING CLIENT: TrkWks
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    UPLOAD MANAGER: uploadmgr
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS TIME: W32Time
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    AUTOMATIC UPDATES: wuauserv
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    WIRELESS ZERO CONFIGURATION: WZCSVC
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DEFWATCH: DefWatch
    C:\PROGRA~1\SYMANT~1\DefWatch.exe

    DNS CLIENT: Dnscache
    C:\WINDOWS\System32\svchost.exe -k NetworkService

    DVD-RAM_SERVICE: DVD-RAM_Service
    C:\WINDOWS\System32\DVDRAMSV.exe

    EVENT LOG: Eventlog
    C:\WINDOWS\system32\services.exe

    PLUG AND PLAY: PlugPlay
    C:\WINDOWS\system32\services.exe

    TCP/IP NETBIOS HELPER: LmHosts
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SSDP DISCOVERY SERVICE: SSDPSRV
    C:\WINDOWS\System32\svchost.exe -k LocalService

    UNIVERSAL PLUG AND PLAY DEVICE HOST: upnphost
    C:\WINDOWS\System32\svchost.exe -k LocalService

    WEBCLIENT: WebClient
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SYMANTEC ANTIVIRUS CLIENT: Norton AntiVirus Server
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe

    NVIDIA DRIVER HELPER SERVICE: NVSvc
    C:\WINDOWS\System32\nvsvc32.exe

    PML DRIVER HPZ12: Pml Driver HPZ12
    C:\WINDOWS\System32\HPZipm12.exe

    IPSEC SERVICES: PolicyAgent
    C:\WINDOWS\System32\lsass.exe

    PROTECTED STORAGE: ProtectedStorage
    C:\WINDOWS\system32\lsass.exe

    SECURITY ACCOUNTS MANAGER: SamSs
    C:\WINDOWS\system32\lsass.exe

    REMOTE PROCEDURE CALL (RPC): RpcSs
    C:\WINDOWS\system32\svchost -k rpcss

    PRINT SPOOLER: Spooler
    C:\WINDOWS\system32\spoolsv.exe

    WINDOWS IMAGE ACQUISITION (WIA): stisvc
    C:\WINDOWS\System32\svchost.exe -k imgsvc

    TMESBS32: Tmesbs
    "C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service
     
  7. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok, make sure you stay off of the internet and do not open any internet Explorer windows until we are finished, copy the following bold text into notepad, save it as cwsuninstall.reg

    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?’ŽrtñåȲ$Ó]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?’ŽrtñåȲ$Ó]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?’ŽrtñåȲ$Ó]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?’ŽrtñåȲ$Ó]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


    MAKE SURE YOU ARE COMPLETELY DISCONNECTED FROM THE INTERNET DURING THE FOLLOWING STEPS

    Go to Start->Run and type "Services.msc" (without quotes) then hit OK. Scroll down until you find REMOTE PROCEDURE CALL (RPC) HELPER

    When you find it, double-click the service, then hit Stop, and set its startup type to Disabled, hit Apply and OK your way out.

    Open up the task manager and end either or both of these processes if they are running:

    C:\WINDOWS\mfcbr32.exe
    C:\WINDOWS\system32\javahr32.exe

    Have HJT fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {3202B39B-A35B-BCEE-9DB0-68ED2C239785} - C:\WINDOWS\system32\crgy.dll
    O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
    O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
    O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe

    Delete the two files from earlier, do not reboot or do this from safemode, just delete them within windows.

    C:\WINDOWS\mfcbr32.exe
    C:\WINDOWS\winhz32.exe
    C:\WINDOWS\system32\javahr32.exe
    C:\WINDOWS\system32\sdkxk.exe

    Now merge the registry file you created earlier, cwsuninstall.reg

    Rerun HJT and fix these again, if they are present:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\axqkn.dll/sp.html#96676
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {3202B39B-A35B-BCEE-9DB0-68ED2C239785} - C:\WINDOWS\system32\crgy.dll
    O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
    O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
    O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe

    Reboot and post a new HJt log along with a new services.txt
     
    Striker likes this.
  8. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    :eek: :D

    Well that sure seems to have done the trick. Hijacked browser seems gone, as do the pop-ups, and i swear my computer loads my settings way faster, and even my winzh32.exe error i would get once in a while is gone. Thanks so much. I'll re-post my HJlog and services in case there's another step to finalize, but this is great.

    ---------------------------

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TDispVol.exe
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
    C:\PROGRA~1\SYMANT~1\vptray.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\Logi_MwX.Exe
    C:\Program Files\Globe Software\StatBar\StatBar.exe
    C:\Program Files\Ghrone\Ghrone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Rainlander\Rainlendar.exe
    C:\Program Files\stickies\stickies.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\downloaded\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
    O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlander\Rainlendar.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gamedaily.com/ActiveX/vxpspeeddelivery.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    ------------------------

    These are the Current Active Services:

    APPLICATION LAYER GATEWAY SERVICE: ALG
    C:\WINDOWS\System32\alg.exe

    WINDOWS AUDIO: AudioSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COMPUTER BROWSER: Browser
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    CRYPTOGRAPHIC SERVICES: CryptSvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    DHCP CLIENT: Dhcp
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    ERROR REPORTING SERVICE: ERSvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COM+ EVENT SYSTEM: EventSystem
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    HELP AND SUPPORT: helpsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    INFRARED MONITOR: Irmon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SERVER: lanmanserver
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WORKSTATION: lanmanworkstation
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    MESSENGER: Messenger
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK CONNECTIONS: Netman
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    NETWORK LOCATION AWARENESS (NLA): Nla
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS AUTO CONNECTION MANAGER: RasAuto
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    REMOTE ACCESS CONNECTION MANAGER: RasMan
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TASK SCHEDULER: Schedule
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SECONDARY LOGON: seclogon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM EVENT NOTIFICATION: SENS
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SHELL HARDWARE DETECTION: ShellHWDetection
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    SYSTEM RESTORE SERVICE: srservice
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TELEPHONY: TapiSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    TERMINAL SERVICES: TermService
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    THEMES: Themes
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DISTRIBUTED LINK TRACKING CLIENT: TrkWks
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    UPLOAD MANAGER: uploadmgr
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS TIME: W32Time
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    AUTOMATIC UPDATES: wuauserv
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    WIRELESS ZERO CONFIGURATION: WZCSVC
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DEFWATCH: DefWatch
    C:\PROGRA~1\SYMANT~1\DefWatch.exe

    DNS CLIENT: Dnscache
    C:\WINDOWS\System32\svchost.exe -k NetworkService

    DVD-RAM_SERVICE: DVD-RAM_Service
    C:\WINDOWS\System32\DVDRAMSV.exe

    EVENT LOG: Eventlog
    C:\WINDOWS\system32\services.exe

    PLUG AND PLAY: PlugPlay
    C:\WINDOWS\system32\services.exe

    TCP/IP NETBIOS HELPER: LmHosts
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SSDP DISCOVERY SERVICE: SSDPSRV
    C:\WINDOWS\System32\svchost.exe -k LocalService

    UNIVERSAL PLUG AND PLAY DEVICE HOST: upnphost
    C:\WINDOWS\System32\svchost.exe -k LocalService

    WEBCLIENT: WebClient
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SYMANTEC ANTIVIRUS CLIENT: Norton AntiVirus Server
    C:\PROGRA~1\SYMANT~1\Rtvscan.exe

    NVIDIA DRIVER HELPER SERVICE: NVSvc
    C:\WINDOWS\System32\nvsvc32.exe

    PML DRIVER HPZ12: Pml Driver HPZ12
    C:\WINDOWS\System32\HPZipm12.exe

    IPSEC SERVICES: PolicyAgent
    C:\WINDOWS\System32\lsass.exe

    PROTECTED STORAGE: ProtectedStorage
    C:\WINDOWS\system32\lsass.exe

    SECURITY ACCOUNTS MANAGER: SamSs
    C:\WINDOWS\system32\lsass.exe

    REMOTE PROCEDURE CALL (RPC): RpcSs
    C:\WINDOWS\system32\svchost -k rpcss

    PRINT SPOOLER: Spooler
    C:\WINDOWS\system32\spoolsv.exe

    WINDOWS IMAGE ACQUISITION (WIA): stisvc
    C:\WINDOWS\System32\svchost.exe -k imgsvc

    TMESBS32: Tmesbs
    "C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service
     
  10. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    OK, good job, the absolute first things you need to do is run this online virus scan.

    http://housecall.trendmicro.com/housecall/start_corp.asp
    -------------------


    If you were using a Hosts File it was deleted.

    Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
    http://members.aol.com/toadbee/hoster.zip
    --------
    control.exe may have been deleted.
    Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
    ----

    Check System32 to be sure you have a file named Shell.dll

    If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.

    ------

    Go here and follow the directions to reset your ActiveX
    http://www.computercops.biz/postt7736.html



    Now you need to get an Antivirus program installed, and get ALL windows updates. I'd also highly suggest using an alternative browser like Firefox or Mozilla in the future, these hijacks do not affect those and are not infectable [by this one atleast]. If you need a good free antivirus program, AVG 6.0 is execellent.
     
  11. Striker

    Striker OSNN Junior Addict

    Messages:
    20
    Just wanted to say thanks, ya did a bang-up job, everything seems in order now.