home page defaults/popups etc

ndmonkey · #1 July 18th, 2004, 04:29 PM

res://homxh.dll/index.html#96676

This is the default home page (the most annoying feature)
Below is the most recent hijackthis log after adaware

PLEASE HELP!

Logfile of HijackThis v1.97.7
Scan saved at 21:25:19, on 18/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\addxd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\sysqn32.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676
O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46

Taz71498 · #2 July 27th, 2004, 07:58 PM

Hello,

If you are still in need of assistance, please post back.

ndmonkey · #3 August 4th, 2004, 08:57 AM

yes I still need assistance PLEASE!

Taz71498 · #4 August 4th, 2004, 04:51 PM

Ok, what I would like you to do is post a new HJT log so I can make sure nothing has changed since your last log.

ndmonkey · #5 August 5th, 2004, 06:59 AM

thanks I am at work so I shall do that this evening

ndmonkey · #6 August 5th, 2004, 02:59 PM

Hiya I noticed the hjt posts are ending so I hope you can help fix this once and for all!

Each time I go online I get the rescue "search page" plus one "stop nasty pop-ups" window ads - please tell me how to alter this registry setting and remove any suspicious files you notice below

THANKS!!!

Logfile of HijackThis v1.97.7
Scan saved at 19:51:56, on 05/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676
O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [addxd.exe] C:\WINDOWS\addxd.exe
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Ladbrokes Poker (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46

Taz71498 · #7 August 5th, 2004, 04:52 PM

Hello,

It looks like you have the new infection out there. What I need from you now is a services log. Do this:

Could you please download this program and run it:

http://www.dougknox.com/xp/utils/StartupTracker3.zip

Copy the contents of what it shows here.

ndmonkey · #8 August 6th, 2004, 06:53 PM

ouch

sounds like fun - here goes - sorry about the file length xoxo

06/08/2004 23:50:45

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

addxd.exe C:\WINDOWS\addxd.exe

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Apoint C:\Program Files\Apoint\Apoint.exe
ATIModeChange Ati2mdxx.exe
BluetoothAuthenticationAgent rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
Mouse Suite 98 Daemon ICO.EXE
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
HKSERV.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe
Switcher.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
THGuard "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
sysqn32.exe C:\WINDOWS\sysqn32.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
BlueSpace NE.lnk
WKCALREM.LNK

-- Start Menu - All Users --
HotSync Manager.lnk
PowerPanel.lnk
WinZip Quick Pick.lnk

-- Disabled Items --
No Items Found

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalService
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
ccEvtMgr.exe "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
alg.exe C:\WINDOWS\System32\alg.exe
ati2evxx.exe C:\WINDOWS\System32\Ati2evxx.exe
svchost.exe C:\WINDOWS\system32\svchost.exe -k bthsvcs
cisvc.exe C:\WINDOWS\system32\cisvc.exe
inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
mdm.exe "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
Navapsvc.exe "C:\Program Files\Norton AntiVirus\navapsvc.exe"
crth.exe C:\WINDOWS\system32\crth.exe /s
snmp.exe C:\WINDOWS\System32\snmp.exe
explorer.exe C:\WINDOWS\Explorer.EXE
Apoint.exe "C:\Program Files\Apoint\Apoint.exe"
rundll32.exe "C:\WINDOWS\System32\rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
ico.exe "C:\WINDOWS\System32\ICO.EXE"
ezSP_Px.exe "C:\WINDOWS\System32\ezSP_Px.exe"
HKServ.exe "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
Switcher.exe "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
atiptaxx.exe "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ccApp.exe "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
THGuard.exe "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
sysqn32.exe "C:\WINDOWS\sysqn32.exe"
HKWnd.exe "C:\Program Files\Sony\HotKey Utility\HKWnd.exe"
HOTSYNC.EXE "C:\Palm\HOTSYNC.EXE"
ApntEx.exe "Apntex.exe"
PcfMgr.exe "C:\Program Files\PowerPanel\Program\PcfMgr.exe" /launch
WZQKPICK.EXE "C:\Program Files\WinZip\WZQKPICK.EXE"
BlueSpaceNE.exe "C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe" /hide
WkCalRem.exe "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe"
wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
cidaemon.exe cidaemon.exe DownLevelDaemon "d:\system volume information\catalog.wci" 196672l 532l
cidaemon.exe cidaemon.exe DownLevelDaemon "c:\inetpub\catalog.wci" 196672l 532l
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
IEXPLORE.EXE "C:\Program Files\Internet Explorer\iexplore.exe"
WINZIP32.EXE C:\PROGRA~1\WINZIP\winzip32.exe "C:\Documents and Settings\nickroman\Local Settings\Temporary Internet Files\Content.IE5\E5B8HC76\StartupTracker3[1].zip"
StartupTracker3.exe "C:\Documents and Settings\nickroman\Local Settings\Temp\StartupTracker3.exe"
wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe

-- Running Services --

Name: O?’ŽrtñåÈ²$Ó
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\system32\crth.exe /s

Name: ALG
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
Startup Mode: Manual
Run from: C:\WINDOWS\System32\alg.exe

Name: Ati HotKey Poller
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\Ati2evxx.exe

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: BthServ
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k bthsvcs

Name: ccEvtMgr
Description: Symantec Event Manager
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Name: CiSvc
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\cisvc.exe

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: dmserver
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: IISADMIN
Description: Allows administration of Web and FTP services through the Internet Information Services snap-in
Startup Mode: Auto
Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: MDM
Description: Manages local and remote debugging for Visual Studio debuggers
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

Name: navapsvc
Description: Handles Norton AntiVirus Auto-Protect events.
Startup Mode: Auto
Run from: "C:\Program Files\Norton AntiVirus\navapsvc.exe"

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasAuto
Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RemoteRegistry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k LocalService

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: SharedAccess
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SMTPSVC
Description: Transports electronic mail across the network
Startup Mode: Auto
Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

Name: SNMP
Description: Includes agents that monitor the activity in network devices and report to the network console workstation.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\snmp.exe

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: uploadmgr
Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: upnphost
Description: Provides support to host Universal Plug and Play devices.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: W3SVC
Description: Provides Web connectivity and administration through the Internet Information Services snap-in
Startup Mode: Auto
Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WmdmPmSp
Description: Retrieves the serial number of any portable music player connected to your computer
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Taz71498 · #9 August 7th, 2004, 01:05 PM

I am looking it over right now and will get back to you most likely tomarrow. I have to leave town in about an hour and won't be back untill tomarrow sometime. I may have to pull one of the experts in on this one. It is one of the new infections.

ndmonkey · #10 August 7th, 2004, 07:02 PM

sounds painful Taz. Looks like I'll be owing a beer?

ndmonkey · #11 August 9th, 2004, 12:28 PM

HI Taz,

Any luck with this yet? I need to use my laptop again soon so if you have any answers that would be appreciated

Taz71498 · #12 August 9th, 2004, 03:51 PM

Ok, we shall give this a shot. I may have to pull in an expert if we don't get it the first time around.

I would like you to read through this first and print it so that you will see what you are going to do and so you have a hard copy to follow along when you can't be on the internet to follow.

You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/ts...2409420406
---------
Download CWShredder from this page if you don't have it already:

http://www.computercops.biz/downloads-cat-14.html

Don't run it yet.
--------

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
----------

Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg
Save as Type: All Files
****Save on the desktop

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?’ŽrtñåÈ²$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?’ŽrtñåÈ²$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?’ŽrtñåÈ²$Ó]

-----------------------

Restart into Safe Mode.

On the desktop, double click on fix.reg to run it.
---------------------

Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Select these items and press the fix checked button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676

O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll

O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
O4 - HKLM\..\RunOnce: [addxd.exe] C:\WINDOWS\addxd.exe

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab

Now, go to Start>Search and look for these files and delete:

C:\WINDOWS\homxh.dll
C:\WINDOWS\system32\ntcm.dll
C:\WINDOWS\sysqn32.exe
C:\WINDOWS\addxd.exe

Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.

Restart into Regular Windows.

---------------

Go to this link and run the free AV scan to clean up the residual files:

http://housecall.trendmicro.com/hous...start_corp.asp
-------------------

If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
http://members.aol.com/toadbee/hoster.zip
--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfoforum.com/~mer...s.html#control
----

Check System32 to be sure you have a file named Shell.dll

If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.

------

Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html

Run HijackThis again and post the new log in your next reply in this same topic. I would also like to see a new startup tracker log also, so run a new one of those and also post that log.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search