CWS hijacked browser
I think it was originaly CWS that brought this problem on, but I got rid of CWS (or so i think) and my browser is still hijacked with loads of pop-ups. I've run ad-aware and spybot with most recent update - in safe mode and with system restore turned off - and deleted everything, and used CWShredder which doesn't detect anything, checked my add/remove programs and did a quick check through my registry (but only in a few obvious places). Here's my hijackthis log (i cleaned it up a bit) after doing that. Anyways, if anyone notices anything in there or has any other suggestions, let me know, thanks.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rcyzu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44BECE92-B7DC-E0A5-2FC8-910FBA5C21AE} - C:\WINDOWS\sdkjk32.dll
O2 - BHO: (no name) - {4795EA25-74E9-7E95-03BE-DC98B0410A5B} - C:\WINDOWS\system32\addkn.dll
O2 - BHO: (no name) - {8BEFC88D-7F02-A4AA-BECE-E1797DB4DAC6} - C:\WINDOWS\system32\crpu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
I think it was originaly CWS that brought this problem on, but I got rid of CWS (or so i think) and my browser is still hijacked with loads of pop-ups. I've run ad-aware and spybot with most recent update - in safe mode and with system restore turned off - and deleted everything, and used CWShredder which doesn't detect anything, checked my add/remove programs and did a quick check through my registry (but only in a few obvious places). Here's my hijackthis log (i cleaned it up a bit) after doing that. Anyways, if anyone notices anything in there or has any other suggestions, let me know, thanks.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rcyzu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rcyzu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rcyzu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44BECE92-B7DC-E0A5-2FC8-910FBA5C21AE} - C:\WINDOWS\sdkjk32.dll
O2 - BHO: (no name) - {4795EA25-74E9-7E95-03BE-DC98B0410A5B} - C:\WINDOWS\system32\addkn.dll
O2 - BHO: (no name) - {8BEFC88D-7F02-A4AA-BECE-E1797DB4DAC6} - C:\WINDOWS\system32\crpu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [mfcbr32.exe] C:\WINDOWS\mfcbr32.exe
O4 - HKLM\..\RunOnce: [sdkxk.exe] C:\WINDOWS\system32\sdkxk.exe
O4 - HKLM\..\RunOnce: [winhz32.exe] C:\WINDOWS\winhz32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll