Hijack This Log Help

[glass_saviour]

Hi,

Our business computer has been hijacked by one of those adware/spyware type programs that redirects your homepage and also brings up lots of pop-up windows. I am no expert in this area, but have been learning about it from http://www.thespykiller.co.uk

I tried running the CoolWebSearch (CWS) Shredder from this site, which found and removed CWS.Aff.Winshow, but the problem still seems to be there. I have run HijackThis and got my log file as seems to be the standard procedure here (see below). What do we need to do to get rid of this thing?

Any help would be much appreciated since we are new to the Internet and trying to run a business. Thank you in advance.


HijackThis Log File
==============

Logfile of HijackThis v1.97.7
Scan saved at 23:13:52, on 27/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\Explorer.EXE
C:\WIN\system32\spoolsv.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WIN\System32\svchost.exe
C:\WIN\ntjl.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WIN\System32\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WIN\system32\winna32.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Executables\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN\system32\hetpp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hetpp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hetpp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WIN\system32\hetpp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hetpp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WIN\system32\hetpp.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35C3C678-BB1B-5B7E-E37E-223E5B63207A} - C:\WIN\iegs32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScan\hpsjbmgr.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WIN\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSZTCE] C:\WIN\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winna32.exe] C:\WIN\system32\winna32.exe
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKLM\..\RunOnce: [ntjl.exe] C:\WIN\ntjl.exe
O4 - HKLM\..\RunOnce: [netbw32.exe] C:\WIN\system32\netbw32.exe
O4 - HKLM\..\RunOnce: [croe.exe] C:\WIN\system32\croe.exe
O4 - HKLM\..\RunOnce: [winzi32.exe] C:\WIN\system32\winzi32.exe
O4 - HKLM\..\RunOnce: [sysre.exe] C:\WIN\sysre.exe
O4 - HKLM\..\RunOnce: [javadp32.exe] C:\WIN\javadp32.exe
O4 - HKLM\..\RunOnce: [javacf32.exe] C:\WIN\system32\javacf32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19f8be4b...p/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Taz71498]

Hello,

This is going to take more than one time through I think. Print this page so you can follow it.

First, do a Ctrl+Alt+Del and find these processes and End Task it:

C:\WIN\ntjl.exe
C:\WIN\system32\winna32.exe

Run HijackThis again with all browsers closed, including this one and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {35C3C678-BB1B-5B7E-E37E-223E5B63207A} - C:\WIN\iegs32.dll

O4 - HKLM\..\Run: [MSZTCE] C:\WIN\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [winna32.exe] C:\WIN\system32\winna32.exe
O4 - HKLM\..\RunOnce: [ntjl.exe] C:\WIN\ntjl.exe
O4 - HKLM\..\RunOnce: [netbw32.exe] C:\WIN\system32\netbw32.exe
O4 - HKLM\..\RunOnce: [croe.exe] C:\WIN\system32\croe.exe
O4 - HKLM\..\RunOnce: [winzi32.exe] C:\WIN\system32\winzi32.exe
O4 - HKLM\..\RunOnce: [sysre.exe] C:\WIN\sysre.exe
O4 - HKLM\..\RunOnce: [javadp32.exe] C:\WIN\javadp32.exe
O4 - HKLM\..\RunOnce: [javacf32.exe] C:\WIN\system32\javacf32.exe

***Do not reboot yet.

Now go online and do this:
Download about:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Close ALL Internet Explorer windows. This is a very important step!! You do not want to be online for this part.

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

Reboot and post a new HijackThis log along with the report from about:Buster.