# search engine hijack



## macknite (Mar 9, 2006)

Hi, I am having problems with my google and other search engines. When I commence a search and click on any answer I am taken to another search engine. This is happening continously. Various search engines are apppearing. NOt any recommended ones. I have run anti-virus and anti spyware programmes, but its still there. I have Armour wall anti-spyware and Avira anti-virus running. Any ideas. Thanks:


----------



## Byteman (Jan 24, 2002)

Hi, This is the first step:

go to  *Click here* to download HJTsetup.exe
Save HJTsetup.exe to your *desktop.*
Double click on the *HJTsetup.exe icon* on your desktop.
By default it will install to *C:\Program Files\Hijack This.* 
Continue to click *Next * in the setup dialogue boxes until you get to the *Select Additional Tasks dialogue.*
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then save the log and then the log will open in Notepad.
Click on *"Edit > Select All" * then click on *"Edit > Copy" *to copy the entire contents of the log.
Paste the log in your next reply.
DO *NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Also, like to see this list- include it in your reply.

Open Hijack This and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## macknite (Mar 9, 2006)

HI BYTEMAN, appreciate your help. Log file to follow. Will await your advise. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 5:54:54 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\ArmorWall Personal Firewall\PopUpKiller.dll
O2 - BHO: (no name) - {BCC2FA3B-DF3D-5FC8-D23D-F52CDCEB8480} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Cleanup] C:\Program Files\Complete Cleanup Trial\compind.bat
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [EvidenceEraser] C:\Program Files\EvidenceEraser\EvidenceEraser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://anytime2.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159622478781
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBCF6C9-481B-4B21-9698-9211919AC0FC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## macknite (Mar 9, 2006)

BYTEMAN,

log file from "Open Uninstall Manager"

Logfile of HijackThis v1.99.1
Scan saved at 5:54:54 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\ArmorWall Personal Firewall\PopUpKiller.dll
O2 - BHO: (no name) - {BCC2FA3B-DF3D-5FC8-D23D-F52CDCEB8480} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Cleanup] C:\Program Files\Complete Cleanup Trial\compind.bat
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [EvidenceEraser] C:\Program Files\EvidenceEraser\EvidenceEraser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armorwall personal firewall\netdog.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://anytime2.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159622478781
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBCF6C9-481B-4B21-9698-9211919AC0FC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Byteman (Jan 24, 2002)

Hi, Try again- you did get two Hijackthis logs, need Uninstall list. Betcha you had the HJT log on the clipboard, went to grab the Uninstall list, and forget to hit "Copy" before Pasting. If I had a buck for every time it's happened to me.....

Here's the steps again> Open Hijack This and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## Byteman (Jan 24, 2002)

Hi, You are using two antivirus programs at the same time I think, AntiVir and ClamWin...... I may be wrong but you should have one or the other set to run in the background, and one to not be running when Windows is....choose one and turn the other one off using it's settings in the respective program.

You have some software installed that has set up Restrictions for Internet Explorer, if you know what one, temporarily turn it off just before you run Fix Wareout.... It might be ArmorAll firewall.

PCConfidential perhaps- I've never heard of this one?

These two items in HJT log show what I mean: (No, do *not* fix them yet!)

_O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present_

Download >

*http://downloads.subratam.org/Fixwareout.exe*

Right-click on the above link, save it to your desktop, and click on it to run the application. Click Next, then Install, then make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

5. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again

Finally, please post the contents of the logfile C:\fixwareout\report.txt

Next: You have to check some networking settings:

If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

Double-click the *Network Connections* icon
Right-click the *Local Area Connection* icon and select *Properties*.
Higlight *Internet Protocol (TCP/IP)* and click the *Properties* button.
Be sure *Obtain DNS server address automatically* is selected.
*OK* your way out.

* Go to Start > Run and type in *cmd*
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

Note there IS ONE SPACE after the "g" 
*ipconfig /flushdns*

Hit Enter.
Exit the command window.

Restart your computer.

If there is any connection problem, go through the steps above once more, this thing likes to put itself back....scan with HJT, if you see the items we removed back, fix them again with all windows CLOSED, even this one....then, check the DNS address and set to obtain automatically etc as before.....restart as before.

Note: *The entries mentioned above, will show like this if they return in a new Hijackthis scan:*

O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBCF6C9-481B-4B21-9698-9211919AC0FC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109

Next:

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report along with a new Hijack This log.


----------



## macknite (Mar 9, 2006)

Hi Byteman, thanks again for all your help. I tried to do as you suggested and run Fixwareout.exe but its not working. Probably because of something I have installed previously. 

This is whats happening......... saved Fixwareout.exe. to desktop. When I launch Im getting this black window screen

C:\Windows\System32\cmd.exe
with script....This batch will remove wareout, killNc Lean

SpyMarshall and UnSpyPc from your system

use at your own risk

press any key to continue..........when I do >>>>>>>>>I get the following

---------------------------------------
I then get the Notepad.txt window

script............check for missing files

c\windows\system32\autoexe.nt not there



Not sure whats missing???


----------



## Byteman (Jan 24, 2002)

Hi, Try booting up in *Safe Mode with Networking * and run FixWareout.

(I think a new download might help, too, so do that)

http://downloads.subratam.org/Fixwareout.exe

Right-click on the above link, save it to your desktop, and click on it to run the application. Click Next, then Install, then make sure "Run fixit" is checked and click Finish.

To get to the right mode, shut down totally first.

Wait 20 seconds or so, and push Power switch to restart....start tapping the F8 key as you usually would to get to Safe Mode, but move the selection line down to "Safe Mode with Networking" and hit the Enter key.

This mode allows Internet access, but less activity in case some software is preventing it from scripting.

There may be a program you have installed, taht blocks scripts?


----------



## Byteman (Jan 24, 2002)

Hi, Just got some help from MFDnSC who gave me this:

*http://www.visualtour.com/downloads/*

Scroll down to "XPFix" download and run, then try Wareout again.

Might not have to go to Safe with Networking, either.


----------



## macknite (Mar 9, 2006)

Hi Byteman,

the folowing is the file log after I ran Fixwareout. 
Just to let you know...I ran the Avira anti-virus BEFORE I installed Http;//downloads.subratam.org/Fixwareout.exe,
and after...the following trojan was detected

Tr/Dldr.Agent.63270

Fixwareout Last edited 2/11/2007
Post this report in the forums please 
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
....
»»»»» Misc files. 
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

The system cannot find the file specified.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Excite Private Messenger Pipe"="C:\\Program Files\\Excite\\PrvtMsgr\\bin\\x8IMPipe.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"errorkiller"="\"C:\\Program Files\\errorkiller\\errorkiller.exe\" -boot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Cleanup"="C:\\Program Files\\Complete Cleanup Trial\\compind.bat"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BestPopUpKiller"="C:\\Program Files\\BestPopUpKiller\\BestPopupKiller.exe /startup"

"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"

"EvidenceEraser"="C:\\Program Files\\EvidenceEraser\\EvidenceEraser.exe"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


----------



## Byteman (Jan 24, 2002)

Hi, See if ErrorKiller appears in Add/remove Programs, Uninstall if it is. The uninstaller may not work, just continue....

This small free utility may help you see what is installed that is bad:

*http://rogueremover.en.softonic.com/ie/57536*

Would be nice to see if ErrorKiller was detected, or not, as there is some difference of opinion about it.

Also, you never posted the Uninstall list I asked for at the beginning...

*Open Hijack This and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.*

Post a brand new Hijackthis log, the Uninstall list, and whatever else you find when you run RogueRemover....it looks it will be two at least>


----------



## macknite (Mar 9, 2006)

Hi Byteman. Had a very unerving experience when I ran <http://roguemover.ensoftonic.com/ie/57536>

When the log file appeared, I quickly scanned the results and as you had suggested, error killer appeared along with other such programs. Nothing else, particularly nothing that looked like it should not be deleted. Anyway I deleted the files, and immediately lost all my connections. All internet Explorer Browser files were deleted. So for the last few days I have had no Internet connection. Tried everything including reconnectiing my modem etc. Eventually I was able to get a connection with the help of my service provider and removed the old Explore files and re-launched Explore 7. So its looks like Im ok again. Might be helpful to mention when suggesting to anyone to launch The above programme ..NOT TO DELETE ANYTHING.. until they check back with you. I should have !!!


----------



## Byteman (Jan 24, 2002)

Hi, Sorry you did that- is the log still available- I'd like to see it.

Don't run the tool again to make one, just the old log if you still have it. 
Weren't you given any choice to delete files...or not? 
I can't fathom why it would remove IE files.

Anyway, post a new Hijackthis log, and don't fix anything without help!


----------



## macknite (Mar 9, 2006)

Hi again,
Yes when I ran "roguemover" it did give me an option to delete or not, but when I checked the files listed and saw nothing remotely dangerous I regretably deleted everything......but anyway everything seems to be ok now...fingers crossed. Many thanks again for all your time and help.....will go and donate. Were lucky to have this site and the expert help.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:06 PM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [EvidenceEraser] C:\Program Files\EvidenceEraser\EvidenceEraser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RWC_CLR_DAT] C:\Program Files\R-Wipe&Clean\RWipeRun.exe /CLEAR-INDEXES /COOK /TIF /HIST
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\armor2net\armorwall personal firewall\netdog.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://anytime2.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159622478781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBCF6C9-481B-4B21-9698-9211919AC0FC}: NameServer = 192.111.39.1,192.111.39.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: R-Wipe and Clean Assistant - Unknown owner - C:\Program Files\R-Wipe&Clean\RwcNtSrv.exe


----------



## Byteman (Jan 24, 2002)

Hi, You still have the Wareout infection. I think there is someone here who can help.....this infection can get things pretty screwed up if you don't take care of it. Probably was a reason your IE got messed up....


----------



## cybertech (Apr 16, 2002)

Hi macknite,

Let me see if I can help you out.
Go to this web page: http://www.visualtour.com/downloads/ 
scroll down to XP Fix follow the instructions to download it and then double click to run it.

After you have done that please run Fixwareout again and let us know if it runs.


----------



## Byteman (Jan 24, 2002)

Hi cybertech! We tried that back in the thread. 

Macknite >>> please give it another run! I think a new download of the Wareout remover might help 
and, there may be other things cybertech or I can help to get you fixed.


Might work this time!


----------



## cybertech (Apr 16, 2002)

Sorry I did not see where that was tried. Didn't mean to repeat a step. 


Macknite please post your log again.


----------



## macknite (Mar 9, 2006)

Hi, this is the latest log.file. I did as recommended

Fixwareout Last edited 2/11/2007
Post this report in the forums please 
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
....
»»»»» Misc files. 
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

The system cannot find the file specified.

Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Excite Private Messenger Pipe"="C:\\Program Files\\Excite\\PrvtMsgr\\bin\\x8IMPipe.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BestPopUpKiller"="C:\\Program Files\\BestPopUpKiller\\BestPopupKiller.exe /startup"

"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"

"EvidenceEraser"="C:\\Program Files\\EvidenceEraser\\EvidenceEraser.exe"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


----------



## cybertech (Apr 16, 2002)

Please post your hijackthis log.


----------



## macknite (Mar 9, 2006)

Hi,
Hijack this log file below.

Logfile of HijackThis v1.99.1
Scan saved at 5:37:42 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BestPopUpKiller\BestPopupKiller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [EvidenceEraser] C:\Program Files\EvidenceEraser\EvidenceEraser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\armor2net\armorwall personal firewall\netdog.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O16 - DPF: Ulster Bank AnyTime - https://anytime2.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159622478781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DBCF6C9-481B-4B21-9698-9211919AC0FC}: NameServer = 192.111.39.1,192.111.39.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O17 - HKLM\System\CCS\Services\Tcpip\..\{21F43399-B5B8-4B4F-BC70-3847B4E20AEC}: NameServer = 85.255.114.29,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.29 85.255.112.109

*Close all applications and browser windows before you click "fix checked".*

Click the Start button and Select Control Panel from the menu. 
Select Network and Internet Connections. 
Double-click the Network Connections icon.
Right-click the Local Area Connection icon and select Properties.
Click on Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

Go to Start > Run and type in *cmd*
Click OK.
This will open a command prompt.
Type the following line in the command window:

*ipconfig /flushdns*

Hit Enter
Exit the command window

Now restart your machine and post a new Hijackthis log.


----------



## macknite (Mar 9, 2006)

Sorry, Im not 100% on which version I have. Whethr its classic view or not. I can't se fro the system info.

OS Name	Microsoft Windows XP Home Edition
Version	5.1.2600 Service Pack 2 Build 2600
OS Manufacturer	Microsoft Corporation
System Name	PC-1
System Manufacturer	GBT___
System Model	AWRDACPI
System Type	X86-based PC
Processor	x86 Family 15 Model 1 Stepping 3 GenuineIntel ~1716 Mhz
BIOS Version/Date	Award Software International, Inc. 6.00 PG, 11/26/2002
SMBIOS Version	2.3
Windows Directory	C:\WINDOWS
System Directory	C:\WINDOWS\system32
Boot Device	\Device\HarddiskVolume1
Locale	United States
Hardware Abstraction Layer	Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name	PC-1\User1
Time Zone	GMT Standard Time
Total Physical Memory	128.00 MB
Available Physical Memory	11.18 MB
Total Virtual Memory	2.00 GB
Available Virtual Memory	1.96 GB
Page File Space	287.49 MB
Page File	C:\pagefile.sys


----------



## macknite (Mar 9, 2006)

Having checked my control panel view, it is generally in classic view but with the option to switch to category view??


----------



## cybertech (Apr 16, 2002)

I edited my instructions, please read them again.


----------



## macknite (Mar 9, 2006)

I ran HJT and checked specific files as directed.

Previously when I lost Internet Connection my Service Provider allocated a new specific IP address and a new DNS address. 

The "use specific address box is currently checked" and not the "Obtain DNS server address automaticaly" 

After my last experience I am a bit worried about changing this again, so I will await your advice.

My PC is working ok at present


----------



## cybertech (Apr 16, 2002)

You need to refer to the information provided by your ISP to reset your IP address and a new DNS address.

As you stand right now the information provided by your ISP _may not _be working. You are the one that has to determine that since you have the information.


----------

