Need help again

[tesco]

yes everything is still there.

try this:
reastart into safe mode
then run spysweeper or some other spyware scanner to delete all spyware files
then run hijackthis! and remove these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\olxyr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A5EAE932-7E5A-03BC-802E-232E0709ED77} - C:\WINDOWS\system32\winxy.dll

O4 - HKLM\..\Run: [ipcz32.exe] C:\WINDOWS\system32\ipcz32.exe

O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -



And there might be some more things installed by the time u restart so just remove anything else that looks suspicious to you (maybe you should print this page out so you know which ones you can keep, then anything else you see can be removed).

Good luck!

[coldnorth]

Thanks rossco. I just ran spybot, removed about 20 items and then ran ad-aware. Ad-Aware found 46 items, lots of "coolwebsearch" stuff. I checked each item to be removed but ad-aware would go no further, just froze up. I wonder if this is related to the crap on my computer?

[tesco]

probably is.
Try it from safemode.

also close everything down in task manager that you know isnt something you need (leave av and firewall and stuff) then remove them from msconfig as well.
then do teh scans and stuff.

[Spam-King]

Also I would recomend not looking at pr0n since that is the main root

[Smurfette]

Also I would recomend not looking at pr0n since that is the main root

No it isn't.

[Mïcrösöül°V³]

If you have alot of coolwebsearch stuff, you should try CWShredder. Im not sure if regular spyware cleaners remove that or not. here is a link for you http://www.spywareinfo.com/~merijn/downloads.html

[Mullyman]

Run Giant Antispyware and you will be rid of the shit...your just wasting your time right now...it"s only going to keep coming back.

[Jg427]

This type of aboutblank hijacker installs a bad service on your system. When you delete the files, the service reinstalls them.

To identify the service,
download ServiceFilter.zip. Extract it to a new folder and double click Servicefilter.vbs to run it.
It will open Post_This.txt, copy the contents and paste it here in your reply.

Download AboutBuster 3.0 from http://www.downloads.subratam.org/AboutBuster.zip
Unzip all files from the zip folder to a folder or your desktop. Start it, click ok then click update. Click on Check for Updates and download any found. Don't run it yet, it won't work until the service is disabled.

Download the latest version of Ad-Aware SE 1.05 from here.
It will uninstall older versions during install. Uncheck "scan now" after install but allow it to "Check for Updates Now"

Scan with hijackthis and post a fresh log along with the Post_This.txt and we can run the fix.

[coldnorth]

Thanks Jg427. Ok, I download the program you recommended. Here are the results of it.

Microsoft Windows XP Home Edition
Version: 5.1.2600
Dec 5, 2004 1:15:01 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{6f105489-c8eb-468e-a43f-d81843c44202}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: ZESOFT
Display Name: ZESOFT
Start Mode: Auto
Start Name: LocalSystem
Description: ZESoft ...
Service Type: Own Process
Path: c:\windows\zeta.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: �%AF夶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\atlxo32.exe /s
State: Running
Process ID: 2708
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 78 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 5.59375 seconds.


I do have the latest version of ad-Aware, at least I think I do.

Here is the current HJT log

Logfile of HijackThis v1.98.2
Scan saved at 1:18:02 PM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ipcz32.exe
C:\WINDOWS\atlxo32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\sd\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crlw32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ipcz32.exe] C:\WINDOWS\system32\ipcz32.exe
O4 - HKLM\..\Run: [msgo.exe] C:\WINDOWS\system32\msgo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D125DA-F8B3-4788-853A-991CD73239D0}: NameServer = 207.40.103.4 207.40.103.5

Thanks

[coldnorth]

I was able to download GirantSpyware at last and it did remove quiet a few things from the computer. I'm still having problems though, stranges process running in the task manager, home page still being re-set and computer still rather slow. I ran HJT and made a new log. What would everyone suggest my next step be? Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 2:25:11 PM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sd\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crlw32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [atlaj.exe] C:\WINDOWS\atlaj.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [ntlg.exe] C:\WINDOWS\system32\ntlg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7D125DA-F8B3-4788-853A-991CD73239D0}: NameServer = 207.40.103.4 207.40.103.5