home page defaults/popups etc

Discussion in 'adware, spyware & hijack cleaning' started by ndmonkey, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    res://homxh.dll/index.html#96676

    This is the default home page (the most annoying feature)
    Below is the most recent hijackthis log after adaware

    PLEASE HELP!


    Logfile of HijackThis v1.97.7
    Scan saved at 21:25:19, on 18/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\addxd.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\sysqn32.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676
    O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    If you are still in need of assistance, please post back.
     
  3. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    yes I still need assistance PLEASE!
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Ok, what I would like you to do is post a new HJT log so I can make sure nothing has changed since your last log.
     
  5. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    thanks I am at work so I shall do that this evening
     
  6. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    Hiya I noticed the hjt posts are ending so I hope you can help fix this once and for all!

    Each time I go online I get the rescue "search page" plus one "stop nasty pop-ups" window ads - please tell me how to alter this registry setting and remove any suspicious files you notice below

    THANKS!!!


    Logfile of HijackThis v1.97.7
    Scan saved at 19:51:56, on 05/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676
    O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [addxd.exe] C:\WINDOWS\addxd.exe
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Ladbrokes Poker (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46
     
  7. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    It looks like you have the new infection out there. What I need from you now is a services log. Do this:

    Could you please download this program and run it:

    http://www.dougknox.com/xp/utils/StartupTracker3.zip

    Copy the contents of what it shows here.
     
  8. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    ouch :ninja: sounds like fun - here goes - sorry about the file length xoxo

    06/08/2004 23:50:45

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    addxd.exe C:\WINDOWS\addxd.exe

    -- Registry --
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    Apoint C:\Program Files\Apoint\Apoint.exe
    ATIModeChange Ati2mdxx.exe
    BluetoothAuthenticationAgent rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    Mouse Suite 98 Daemon ICO.EXE
    ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
    HKSERV.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe
    Switcher.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    THGuard "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    sysqn32.exe C:\WINDOWS\sysqn32.exe
    MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    -- Registry --
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    No Items Found

    -- Start Menu - Current User --
    BlueSpace NE.lnk
    WKCALREM.LNK

    -- Start Menu - All Users --
    HotSync Manager.lnk
    PowerPanel.lnk
    WinZip Quick Pick.lnk

    -- Disabled Items --
    No Items Found

    -- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
    Explorer.exe

    -- Running Processes --
    System Idle Process
    System
    smss.exe \SystemRoot\System32\smss.exe
    csrss.exe C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
    winlogon.exe winlogon.exe
    services.exe C:\WINDOWS\system32\services.exe
    lsass.exe C:\WINDOWS\system32\lsass.exe
    svchost.exe C:\WINDOWS\system32\svchost -k rpcss
    svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe C:\WINDOWS\System32\svchost.exe -k NetworkService
    svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalService
    spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
    ccEvtMgr.exe "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    alg.exe C:\WINDOWS\System32\alg.exe
    ati2evxx.exe C:\WINDOWS\System32\Ati2evxx.exe
    svchost.exe C:\WINDOWS\system32\svchost.exe -k bthsvcs
    cisvc.exe C:\WINDOWS\system32\cisvc.exe
    inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
    mdm.exe "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
    Navapsvc.exe "C:\Program Files\Norton AntiVirus\navapsvc.exe"
    crth.exe C:\WINDOWS\system32\crth.exe /s
    snmp.exe C:\WINDOWS\System32\snmp.exe
    explorer.exe C:\WINDOWS\Explorer.EXE
    Apoint.exe "C:\Program Files\Apoint\Apoint.exe"
    rundll32.exe "C:\WINDOWS\System32\rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
    ico.exe "C:\WINDOWS\System32\ICO.EXE"
    ezSP_Px.exe "C:\WINDOWS\System32\ezSP_Px.exe"
    HKServ.exe "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
    Switcher.exe "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
    atiptaxx.exe "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    ccApp.exe "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    THGuard.exe "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    sysqn32.exe "C:\WINDOWS\sysqn32.exe"
    HKWnd.exe "C:\Program Files\Sony\HotKey Utility\HKWnd.exe"
    HOTSYNC.EXE "C:\Palm\HOTSYNC.EXE"
    ApntEx.exe "Apntex.exe"
    PcfMgr.exe "C:\Program Files\PowerPanel\Program\PcfMgr.exe" /launch
    WZQKPICK.EXE "C:\Program Files\WinZip\WZQKPICK.EXE"
    BlueSpaceNE.exe "C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe" /hide
    WkCalRem.exe "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe"
    wuauclt.exe "C:\WINDOWS\System32\wuauclt.exe"
    cidaemon.exe cidaemon.exe DownLevelDaemon "d:\system volume information\catalog.wci" 196672l 532l
    cidaemon.exe cidaemon.exe DownLevelDaemon "c:\inetpub\catalog.wci" 196672l 532l
    msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
    IEXPLORE.EXE "C:\Program Files\Internet Explorer\iexplore.exe"
    WINZIP32.EXE C:\PROGRA~1\WINZIP\winzip32.exe "C:\Documents and Settings\nickroman\Local Settings\Temporary Internet Files\Content.IE5\E5B8HC76\StartupTracker3[1].zip"
    StartupTracker3.exe "C:\Documents and Settings\nickroman\Local Settings\Temp\StartupTracker3.exe"
    wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe

    -- Running Services --

    Name: O?’ŽrtñåȲ$Ó
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\crth.exe /s

    Name: ALG
    Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\alg.exe

    Name: Ati HotKey Poller
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\Ati2evxx.exe

    Name: AudioSrv
    Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Browser
    Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: BthServ
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k bthsvcs

    Name: ccEvtMgr
    Description: Symantec Event Manager
    Startup Mode: Auto
    Run from: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    Name: CiSvc
    Description: Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\cisvc.exe

    Name: CryptSvc
    Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: Dhcp
    Description: Manages network configuration by registering and updating IP addresses and DNS names.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: dmserver
    Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Dnscache
    Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

    Name: ERSvc
    Description: Allows error reporting for services and applictions running in non-standard environments.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Eventlog
    Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: EventSystem
    Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: FastUserSwitchingCompatibility
    Description: Provides management for applications that require assistance in a multiple user environment.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: helpsvc
    Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: IISADMIN
    Description: Allows administration of Web and FTP services through the Internet Information Services snap-in
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

    Name: lanmanserver
    Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: lanmanworkstation
    Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: LmHosts
    Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: MDM
    Description: Manages local and remote debugging for Visual Studio debuggers
    Startup Mode: Auto
    Run from: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

    Name: navapsvc
    Description: Handles Norton AntiVirus Auto-Protect events.
    Startup Mode: Auto
    Run from: "C:\Program Files\Norton AntiVirus\navapsvc.exe"

    Name: Netman
    Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Nla
    Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: PlugPlay
    Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\services.exe

    Name: PolicyAgent
    Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\lsass.exe

    Name: ProtectedStorage
    Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: RasAuto
    Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RasMan
    Description: Creates a network connection.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: RemoteRegistry
    Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k LocalService

    Name: RpcSs
    Description: Provides the endpoint mapper and other miscellaneous RPC services.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost -k rpcss

    Name: SamSs
    Description: Stores security information for local user accounts.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\lsass.exe

    Name: Schedule
    Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: seclogon
    Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SENS
    Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: SharedAccess
    Description: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: ShellHWDetection
    Description:
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SMTPSVC
    Description: Transports electronic mail across the network
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

    Name: SNMP
    Description: Includes agents that monitor the activity in network devices and report to the network console workstation.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\snmp.exe

    Name: Spooler
    Description: Loads files to memory for later printing.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\spoolsv.exe

    Name: srservice
    Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: SSDPSRV
    Description: Enables discovery of UPnP devices on your home network.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: TapiSrv
    Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TermService
    Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: Themes
    Description: Provides user experience theme management.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: TrkWks
    Description: Maintains links between NTFS files within a computer or across computers in a network domain.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: uploadmgr
    Description: Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: upnphost
    Description: Provides support to host Universal Plug and Play devices.
    Startup Mode: Manual
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: W32Time
    Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: W3SVC
    Description: Provides Web connectivity and administration through the Internet Information Services snap-in
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\inetsrv\inetinfo.exe

    Name: WebClient
    Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

    Name: winmgmt
    Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: WmdmPmSp
    Description: Retrieves the serial number of any portable music player connected to your computer
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

    Name: wuauserv
    Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
    Startup Mode: Auto
    Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

    Name: WZCSVC
    Description: Provides automatic configuration for the 802.11 adapters
    Startup Mode: Auto
    Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  9. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    I am looking it over right now and will get back to you most likely tomarrow. I have to leave town in about an hour and won't be back untill tomarrow sometime. I may have to pull one of the experts in on this one. It is one of the new infections.
     
  10. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    sounds painful Taz. Looks like I'll be owing a beer?
     
  11. ndmonkey

    ndmonkey Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    11
    HI Taz,

    Any luck with this yet? I need to use my laptop again soon so if you have any answers that would be appreciated
     
  12. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Ok, we shall give this a shot. I may have to pull in an expert if we don't get it the first time around.

    I would like you to read through this first and print it so that you will see what you are going to do and so you have a hard copy to follow along when you can't be on the internet to follow.

    You will be restarting into Safe mode later.
    Go here for directions if you need help:

    http://service1.symantec.com/SUPPORT/ts...2409420406
    ---------
    Download CWShredder from this page if you don't have it already:

    http://www.computercops.biz/downloads-cat-14.html

    Don't run it yet.
    --------


    Because XP will not always show you hidden files and folders by default.
    Reset your search settings first.

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders
    ----------



    Copy the contents of the Quote Box to Notepad.

    Name the file as fix.reg
    Save as Type: All Files
    ****Save on the desktop




    -----------------------


    Restart into Safe Mode.

    On the desktop, double click on fix.reg to run it.
    ---------------------

    Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Select these items and press the fix checked button:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\homxh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://homxh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\homxh.dll/sp.html#96676

    O2 - BHO: (no name) - {AEAD1223-41F1-C0B4-93A5-A2341D629403} - C:\WINDOWS\system32\ntcm.dll

    O4 - HKLM\..\Run: [sysqn32.exe] C:\WINDOWS\sysqn32.exe
    O4 - HKLM\..\RunOnce: [addxd.exe] C:\WINDOWS\addxd.exe

    O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gampr-gb/gbp/games21.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab



    Now, go to Start>Search and look for these files and delete:

    C:\WINDOWS\homxh.dll
    C:\WINDOWS\system32\ntcm.dll
    C:\WINDOWS\sysqn32.exe
    C:\WINDOWS\addxd.exe


    Go to Internet Options>Programs
    Click the reset Web Settings Button to reset your home and search pages.


    Restart into Regular Windows.


    ---------------

    Go to this link and run the free AV scan to clean up the residual files:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    -------------------


    If you were using a Hosts File it was deleted.

    Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
    http://members.aol.com/toadbee/hoster.zip
    --------
    control.exe may have been deleted.
    Follow instructions here to replace it: http://www.spywareinfoforum.com/~merijn/winfiles.html#control
    ----

    Check System32 to be sure you have a file named Shell.dll

    If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.

    ------

    Go here and follow the directions to reset your ActiveX
    http://www.computercops.biz/postt7736.html


    Run HijackThis again and post the new log in your next reply in this same topic. I would also like to see a new startup tracker log also, so run a new one of those and also post that log.
     
Thread Status:
Not open for further replies.