HIJACK HELP??????

Logfile of HijackThis v1.97.7
Scan saved at 9:03:30 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\unzipped\framxpro\FreeRAM XP Pro 1.30.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\THE NEW CPU\My Documents\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8A3F3A19-8ECA-4D17-88DE-277A4193EB6F} - C:\WINDOWS\System32\iganpf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d38736e0e6fd4d/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hello WaterBase,

I would first like you to download Adaware if you don't already have it (don't run it yet, but I would like you to open it and update the reference file and then close it.)

Next, Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Close all windows except HijackThis and check these lines then click on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\THENEW~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8A3F3A19-8ECA-4D17-88DE-277A4193EB6F} - C:\WINDOWS\System32\iganpf.dll

O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe



Don't reboot yet.

Start APM (the program you downloaded second)
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\iganpf.dll
Select Unload DLL and click OK on the prompts that follow.

Reboot and scan with AdAware (the first program you downloaded)

Reboot. Now, do the following

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here along with a new HJT log.

**Also, very important. The reason you are most likely infected is because of Kazaa. Uninstall it. I don't care about why you use Kazaa, I understand, BUT, Kazaa is only going to get you reinfected. If you refuse to uninstall, then we can't help you because it will just be a lost cause. When and if you choose to uninstall, backup all you have downloaded from Kazaa or you will lose all that you have downloaded. I don't mean to sound harsh in any way, I am just trying to help you keep your computer from getting infected like it is now.

Don't forget to post the two logs that are requested.