please help me remove about:blank.. here's my log :)

I'll be forever grateful if you could please help me to get rid of cws.searchx...
)

here is my log

Logfile of HijackThis v1.97.7
Scan saved at 15:17:10, on 09.05.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\bomp\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\njlnmg.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)
O2 - BHO: (no name) - {E31966CC-012A-458D-B54C-23183A92D621} - C:\WINDOWS\System32\njlnmg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.4989699074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

Start with the following:
Surf to http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
And download and unzip Find-All.zip
Inside the unzipped folder find the file Find All.bat and doubleclick it.

When it is done it will produce a file output.txt in that same folder.
Post the content of that file and let me know if your system is dual-boot, whether you have an XP-CD or a bootdisk.

Regards,

Pieter

 

Thank you so much for helping me!
I don't know what a "dual-boot" means, all I know is that I have an XP-cd..

Here's the content of the find-all-file

Regards, Elisabet



--===**'FIND-ALL' VERSION 2, 5/04**===--

System Info:
C: "" (D887:4115) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 3 943 636 992 [3.7G]


Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\D3DKBF.DLL +++ File read error
\\?\C:\WINDOWS\System32\D3DKBF.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0906C26A-CE6A-42F5-A1AF-427E91D57564}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E21247D-B3F4-408C-B206-8787DFE187ED}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E31966CC-012A-458D-B54C-23183A92D621}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{A32F4301-463D-4C57-90EB-307961B38FFA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{A32F4301-463D-4C57-90EB-307961B38FFA}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"

Class Install Handler
{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
C:\WINDOWS\system32\urlmon.dll

deflate
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

gzip
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

lzdhtml
{8f6b0360-b80d-11d0-a9b3-006097942311}
C:\WINDOWS\system32\urlmon.dll

text/html
{A32F4301-463D-4C57-90EB-307961B38FFA}
C:\WINDOWS\System32\njlnmg.dll

text/plain
{A32F4301-463D-4C57-90EB-307961B38FFA}
C:\WINDOWS\System32\njlnmg.dll

text/webviewhtml
{733AC4CB-F1A4-11d0-B951-00A0C90312E1}
%SystemRoot%\system32\SHELL32.dll

text/xml
{807553E5-5146-11D5-A672-00B0D022E945}
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

{A32F4301-463D-4C57-90EB-307961B38FFA} C:\WINDOWS\System32\njlnmg.dll
{E31966CC-012A-458D-B54C-23183A92D621} C:\WINDOWS\System32\njlnmg.dll
{A32F4301-463D-4C57-90EB-307961B38FFA} C:\WINDOWS\System32\njlnmg.dll
{E31966CC-012A-458D-B54C-23183A92D621} C:\WINDOWS\System32\njlnmg.dll
{807553E5-5146-11D5-A672-00B0D022E945} C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

_______________________________

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

{0906C26A-CE6A-42F5-A1AF-427E91D57564}
C:\WINDOWS\System32\pglbpo.dll

{7E21247D-B3F4-408C-B206-8787DFE187ED}
C:\WINDOWS\System32\amipog.dll

{E31966CC-012A-458D-B54C-23183A92D621}
C:\WINDOWS\System32\njlnmg.dll

--==***Probable "bad" file will be represented as
C:\WINDOWS...System32...XXXX.dll***==--

Handle v2.2
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
winlogon.exe pid: 788 NT AUTHORITY\SYSTEM
34: Section \BaseNamedObjects\2879067108ll
38: File C:\WINDOWS\system32\d3dkbf.dll
dc: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
158: Section \BaseNamedObjects\ShimSharedMemory
1a4: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
1c0: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
1e4: File C:\WINDOWS\AppPatch
1ec: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
210: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
214: File C:\WINDOWS\system32\dllcache
218: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
21c: File C:\WINDOWS\system32
220: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
224: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
228: File C:\WINDOWS\system32\inetsrv
22c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
230: File C:\WINDOWS\Fonts
234: File C:\WINDOWS\system32\drivers
238: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
23c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
240: File C:\Program Files\microsoft frontpage\version3.0\bin
244: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
248: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033
24c: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
250: File C:\WINDOWS
254: File C:\Program Files\Common Files\Microsoft Shared\DAO
258: File C:\Program Files\Windows Media Player
25c: File C:\Program Files\Common Files\System\msadc
260: File C:\Program Files\Common Files\System\ado
264: File C:\Program Files\Common Files\System\Ole DB
268: File C:\WINDOWS\inf
26c: File C:\WINDOWS\system
270: File C:\WINDOWS\msagent
274: File C:\WINDOWS\msagent\intl
278: File C:\Program Files\MSN Gaming Zone\Windows
27c: File C:\WINDOWS\Help
280: File C:\WINDOWS\PCHEALTH\HELPCTR\Binaries
284: File C:\Program Files\NetMeeting
288: File C:\WINDOWS\system32\drivers\disdn
28c: File C:\WINDOWS\ime\CHTIME\Applets
290: File C:\WINDOWS\system32\wbem
294: File C:\WINDOWS\system32\IME\CINTLGNT
298: File C:\WINDOWS\system32\Com
29c: File C:\WINDOWS\system32\Setup
2a0: File C:\WINDOWS\ime\imjp8_1
2a4: File C:\Program Files\Common Files\Microsoft Shared\Triedit
2a8: File C:\Program Files\Windows NT
2ac: File C:\Program Files\Common Files\System
2b0: File C:\WINDOWS\system32\1033
2b4: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
2b8: File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
2bc: File C:\WINDOWS\system32\usmt
2c0: File C:\WINDOWS\ime\imkr6_1\dicts
2c4: File C:\WINDOWS\system32\mui\0009
2c8: File C:\Program Files\Internet Explorer
2cc: File C:\WINDOWS\ime\imjp8_1\applets
2d0: File C:\WINDOWS\ime\imkr6_1\applets
2d4: File C:\WINDOWS\system32\xircom
2d8: File C:\Program Files\Internet Explorer\Connection Wizard
2dc: File C:\Program Files\Common Files\Microsoft Shared\MSInfo
2e0: File C:\WINDOWS\ime\imkr6_1
2e4: File C:\WINDOWS\ime\shared
2e8: File C:\WINDOWS\system32\IME\PINTLGNT
2ec: File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
2f0: File C:\WINDOWS\Resources\Themes\Luna
2f4: File C:\Program Files\Movie Maker
2f8: File C:\WINDOWS\ime
30c: File C:\WINDOWS\srchasst
310: File C:\Program Files\Outlook Express
314: File C:\WINDOWS\system32\oobe
318: File C:\Program Files\Common Files\MSSoap\Binaries
31c: File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
320: File C:\WINDOWS\mui
324: File C:\WINDOWS\system32\npp
328: File C:\WINDOWS\ime\shared\res
32c: File C:\Program Files\Windows NT\Pinball
330: File C:\WINDOWS\ime\chsime\applets
350: File C:\WINDOWS\system32\Restore
358: File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
374: File C:\Program Files\Common Files\Microsoft Shared\Speech
378: File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
37c: File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
380: File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
384: File C:\WINDOWS\system32\wbem\snmp
388: File C:\Program Files\Common Files\SpeechEngines\Microsoft
38c: File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
390: File C:\WINDOWS\system32\spool\drivers\color
394: File C:\WINDOWS\system32\IME\TINTLGNT
398: File C:\WINDOWS\Help\Tours\mmTour
39c: File C:\WINDOWS\PCHEALTH\UploadLB\Binaries
3a0: File C:\Program Files\Common Files\Microsoft Shared\VGX
3a4: File C:\WINDOWS\system32\wbem\xml
3a8: File C:\Program Files\Windows NT\Accessories
3ac: File C:\Program Files\xerox\nwwia
3bc: File C:\WINDOWS\WinSxS
658: File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
6d4: Section \BaseNamedObjects\mmGlobalPnpInfo
6ec: Section \BaseNamedObjects\WDMAUD_Device_Interface_Path
73c: Section \BaseNamedObjects\WDMAUD_Callbacks
74c: Section \BaseNamedObjects\WDMAUD_Path_Size
758: File C:\WINDOWS\system32
7f8: Section \BaseNamedObjects\__R_000000000007_SMem__


 

Hi bomp,

This will be very tricky, so if you have any questions don't proceed, but ask first.

Set your computer to boot from CD and insert the XP CD
When you restart your computer WITH THE WINXP CD in the drive, it will/should ask you to HIT ANY KEY TO BOOT FROM CD (something like that) At that time you have about 2 or 3 seconds to press a key before it moves on to boot to the hard drive.

Once you've done that then you need to select R for recovery console.
Here is a description of the Recovery Console:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314058

Delete C:\WINDOWS\System32\D3DKBF.DLL

Then reboot normally and download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then ownload Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that panel and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

After that reboot post a new HijackThis log.

Regards,

Pieter

 

Hi, I get to the recovery console, but I don't know how to delete a file from this place.. I could try, but you told me to ask before I proceed

 

Oh, I found it on the link you gave me, so you don't have to tell me, thank you anyway : )

 

I followed your instructions, and here is the new hijackthis-log


Logfile of HijackThis v1.97.7
Scan saved at 21:59:28, on 09.05.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\POP-UP~1\PSFree.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\bomp\Desktop\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\imapi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.4989699074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

Hi bomp,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {0906C26A-CE6A-42F5-A1AF-427E91D57564} - C:\WINDOWS\System32\pglbpo.dll (file missing)
O2 - BHO: (no name) - {7E21247D-B3F4-408C-B206-8787DFE187ED} - C:\WINDOWS\System32\amipog.dll (file missing)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

Then reboot.
Download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that panel and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

You should at least get Windows and IE updated.
And read this https://www.wilderssecurity.com/showthread.php?t=27971

Another important tool would be a firewall.
and use it to block these ranges of IP addresses, both incoming and outgoing 213.159.117.0-213.159.118.255, 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 both TCP & UDP
that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help with many versions of the cws pest. The problem with this approach is that some good sites might also be blocked (which I doubt).

Regards,

Pieter

 

It seems like it's gone! I can't believe it's really gone, I've been trying to remove it for a month now, thank you so much!!

 

Hi bomp,

That is good to hear. I hope it stays away.
Please read:
https://www.wilderssecurity.com/showthread.php?t=27971

Regards,

Pieter