I am looking for some help please. I have run Spybot S&D and Ad-aware6 and CWShredder and HijackThis and installed ie-Spyad and my IE homepage is still being hijacked. Although the appearance of popups does seem to have gone away. Below is my HijackThis log.

Logfile of HijackThis v1.98.2
Scan saved at 3:52:03 PM, on 8/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINNT\System32\oocinst.exe
C:\WINNT\system32\OODAG.EXE
C:\WINNT\cral32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\netpl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\IMNNQ_2K\httpdl.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\IMNNQ_2K\imnsvdem.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
C:\Program Files\The Weather Channel\The Weather Channel.exe
C:\wdsc\SYSTEM\EVFWLX40.EXE
C:\wdsc\system\evfctcpd.exe
C:\Lotus\Notes\nminder.exe
C:\wdsc\SYSTEM\RXAPI.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\system32\mxmhy.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

res://mxmhy.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

res://mxmhy.dll/index.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= res://C:\WINNT\system32\mxmhy.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\system32\mxmhy.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

res://mxmhy.dll/index.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Rogers Enterprises, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost:49213;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59}

- C:\WINNT\Downloaded Program Files\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {A23F1F74-28CD-03FF-FA38-176F6F744C65} -

C:\WINNT\system32\netkh.dll
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program

Files\ycomp5_0_2_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program

Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client

Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program

Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program

Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program

Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IMNNQ] nqdetach.exe imnss.exe start server
O4 - HKLM\..\Run: [IMNNQ NetQ Web Server] nqdetach.exe httpdl.exe -r

C:\IMNNQ_2K\httpd.cnf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program

Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [netpl.exe] C:\WINNT\system32\netpl.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program

Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\Program Files\The Weather

Channel\The Weather Channel.exe
O4 - Startup: Lotus Notes Minder.lnk = C:\Lotus\Notes\nminder.exe
O4 - Global Startup: CODE Editor initialization.lnk =

C:\wdsc\codebrws.exe
O4 - Global Startup: Communications.lnk = C:\wdsc\system\evfctcpd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0819.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -

http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)

- https://us2.webex.com/client/v_premconf/webex/ieatgpc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) -

http://us.dl1.yimg.com/download.yahoo.com/...yiebio5_0_2_4.c

ab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

rogersandhollands.com
O17 -

HKLM\System\CCS\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B

}: NameServer = 100.1.1.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

rogersandhollands.com
O17 -

HKLM\System\CS1\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B

}: NameServer = 100.1.1.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

rogersandhollands.com
O17 -

HKLM\System\CS2\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B

}: NameServer = 100.1.1.7
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} -

C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Any suggestions/help would be appreciated.

Hi and thanks for being so patient,

You have a very tricky variant of Coolwebsearch that none of the conventional tools can remove...but, we can get rid of it with a special fix :)

First, I need to know the running services since there are now several versions of this hijacker.

Please download the special vbs file I have attached in the zip file here, called GetActiveServices.zip

Extract it to a new folder in the desktop. Double click on the GetActiveServices.vbs to run it. This will create and open a text file named Active.txt in the same folder

It will then open Active.txt for you.

Active text will list all active Services. Copy and paste the contents of Active.txt in your next reply here.

OK. I think I have what you have requested. Please let me know if this is missing anything. Thanks.

These are the Current Active Services:

3COM DMI AGENT: 3ComDMIService
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

ACTIONAGENT: ActionAgent
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe

BACKGROUND INTELLIGENT TRANSFER SERVICE: BITS
C:\WINNT\System32\svchost.exe -k BITSgroup

COMPUTER BROWSER: Browser
C:\WINNT\System32\services.exe

DHCP CLIENT: Dhcp
C:\WINNT\System32\services.exe

LOGICAL DISK MANAGER: dmserver
C:\WINNT\System32\services.exe

DNS CLIENT: Dnscache
C:\WINNT\System32\services.exe

EVENT LOG: Eventlog
C:\WINNT\system32\services.exe

SERVER: lanmanserver
C:\WINNT\System32\services.exe

WORKSTATION: lanmanworkstation
C:\WINNT\System32\services.exe

TCP/IP NETBIOS HELPER SERVICE: LmHosts
C:\WINNT\System32\services.exe

MESSENGER: Messenger
C:\WINNT\System32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINNT\system32\services.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINNT\system32\services.exe

RUNAS SERVICE: seclogon
C:\WINNT\system32\services.exe

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINNT\system32\services.exe

WINDOWS TIME: W32Time
C:\WINNT\System32\services.exe

WINDOWS MANAGEMENT INSTRUMENTATION DRIVER EXTENSIONS: Wmi
C:\WINNT\system32\Services.exe

SYMANTEC EVENT MANAGER: ccEvtMgr
"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

SYMANTEC SETTINGS MANAGER: ccSetMgr
"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

SYMANTEC ANTIVIRUS DEFINITION WATCHER: DefWatch
"C:\Program Files\Symantec AntiVirus\DefWatch.exe"

DELLDMI: DellDmi
C:\DMI\WIN32\bin\DellDmi.exe

DEVENTAGENT: DEventAgent
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe

DLT: DLT
C:\Program Files\Dell\OpenManage\Client\DLT.exe

COM+ EVENT SYSTEM: EventSystem
C:\WINNT\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINNT\System32\svchost.exe -k netsvcs

REMOVABLE STORAGE: NtmsSvc
C:\WINNT\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINNT\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINNT\system32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINNT\System32\svchost.exe -k netsvcs

IAP: Iap
C:\Program Files\Dell\OpenManage\Client\Iap.exe

MACHINE DEBUG MANAGER: MDM
"C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

MULTI-USER CLEANUP SERVICE: Multi-user Cleanup Service
C:\Lotus\Notes\ntmulti.exe

NET LOGON: Netlogon
C:\WINNT\System32\lsass.exe

IPSEC POLICY AGENT: PolicyAgent
C:\WINNT\System32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINNT\system32\lsass.exe

NETROPA NHK SERVER: nhksrv
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O&O COMPONENTINSTALLER AGENT: O&O ComponentInstaller Agent
C:\WINNT\System32\oocinst.exe

O&O DEFRAG: O&O Defrag
C:\WINNT\system32\OODAG.EXE

WORKSTATION NETLOGON SERVICE: O?’ŽrtñåȲ$Ó
C:\WINNT\cral32.exe /s

REMOTE REGISTRY SERVICE: RemoteRegistry
C:\WINNT\system32\regsvc.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINNT\system32\svchost -k rpcss

SAVROAM: SavRoam
"C:\Program Files\Symantec AntiVirus\SavRoam.exe"

TASK SCHEDULER: Schedule
C:\WINNT\system32\MSTask.exe

PRINT SPOOLER: Spooler
C:\WINNT\system32\spoolsv.exe

SYMANTEC ANTIVIRUS: Symantec AntiVirus
"C:\Program Files\Symantec AntiVirus\Rtvscan.exe"

WIN32SL: Win32Sl
C:\dmi\win32\bin\Win32sl.exe

WINDOWS MANAGEMENT INSTRUMENTATION: WinMgmt
C:\WINNT\System32\WBEM\WinMgmt.exe

AUTOMATIC UPDATES: wuauserv
C:\WINNT\system32\svchost.exe -k wugroup

Yes, good job - that is what I needed.

This is one part of the bad boy and requires quite a few steps to properly remove: WORKSTATION NETLOGON SERVICE: O?’ŽrtñåȲ$Ó
C:\WINNT\cral32.exe /s

Give me a few minutes or more to write up the specific fix for your PC, it is rather lengthy but it will be easy to follow and remove the infection :)

I'll be back

Meanwhile, you are going to need to update your Adaware Version to the newest edition just out, you can go ahead and do that and you also need to get to Windows Update (you're missing SP4 on Win2k and SP1 for IE also at least). You need ALL the critical security updates recommended for your OS and IE to avoid immediate reinfection with this or something else. This particular hijacker (coolwebsearch) most frequently uses exploits on unpatched systems to silently, secretly install on you.

Here is the newest version of Adaware. Just uninstall your old version 6.181 and download and install the new one. It will update and scan your computer upon completing the installation. Let it do that and fix anything bad it finds (if any).

Adaware SE 1.02
http://www.majorgeeks.com/download506.html

Windows Update:
http://v4.windowsupdate.microsoft.com/en/default.asp

Here is the step by step fix for you.

1. Download AboutBuster ver. 3.0 here:
http://www.malwarebytes.biz/AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "WORKSTATION NETLOGON SERVICE". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

6. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\system32\mxmhy.dll/sp.html#12802

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://mxmhy.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://mxmhy.dll/index.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINNT\system32\mxmhy.dll/sp.html#12802

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\system32\mxmhy.dll/sp.html#12802

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://mxmhy.dll/index.html#12802

O2 - BHO: (no name) - {A23F1F74-28CD-03FF-FA38-176F6F744C65} -
C:\WINNT\system32\netkh.dll

O4 - HKLM\..\Run: [netpl.exe] C:\WINNT\system32\netpl.exe

and delete the following files if present.

C:\WINNT\cral32.exe

C:\WINNT\system32\netpl.exe

C:\WINNT\system32\mxmhy.dll

C:\WINNT\system32\netkh.dll

7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
hosts (with no extension)
SDHelper.dll (if you are using Spybot Search & Destroy)

If control. exe is missing
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
........................................................
12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review :)

OK. I have completed all steps except checking for the potentially missing files. I was not able to run AboutBuster in safe mode. I got a Run Time Error '13'. I am not sure what that means. Below is my log from Hijack This. In the relatively short time I have been back on it seems as though things are back to normal. No hijacks of my home page yet. I have to thank you for all of your assistance in cleaning up this nasty problem. I will let you know if I have any additional problems. Thanks again. I still see a couple of questionable things in this log. Let me know if you agree.

Logfile of HijackThis v1.98.2
Scan saved at 12:59:12 PM, on 8/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\WINNT\System32\oocinst.exe
C:\WINNT\system32\OODAG.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\IMNNQ_2K\httpdl.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\IMNNQ_2K\imnsvdem.exe
C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
C:\wdsc\SYSTEM\EVFWLX40.EXE
C:\wdsc\system\evfctcpd.exe
C:\Lotus\Notes\nminder.exe
C:\wdsc\SYSTEM\RXAPI.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mxmhy.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mxmhy.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Enterprises, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost:49213;127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINNT\Downloaded Program Files\ycomp5_0_2_4.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_0_2_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [IMNNQ] nqdetach.exe imnss.exe start server
O4 - HKLM\..\Run: [IMNNQ NetQ Web Server] nqdetach.exe httpdl.exe -r C:\IMNNQ_2K\httpd.cnf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - Startup: Lotus Notes Minder.lnk = C:\Lotus\Notes\nminder.exe
O4 - Global Startup: CODE Editor initialization.lnk = C:\wdsc\codebrws.exe
O4 - Global Startup: Communications.lnk = C:\wdsc\system\evfctcpd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://us2.webex.com/client/v_premconf/webex/ieatgpc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rogersandhollands.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B}: NameServer = 100.1.1.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rogersandhollands.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B}: NameServer = 100.1.1.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rogersandhollands.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C2DBA8C-D0C2-46A9-B2C0-BAE8FF0DF43B}: NameServer = 100.1.1.7
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Ok good. Fix these in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mxmhy.dll/sp.html#12802

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mxmhy.dll/sp.html#12802

I'm checking on the Runtime error 13 in AboutBuster. Will post back here when more is known. I'd like to get that working because even though you seem to be rid of the hijacker (because of using multiple methods to kill it), AboutBuster will probably find more infected files than we can see with the other tools. Did you try running it in regular mode and get the same error? Also - do you have it installed in it's own folder somewhere on your main harddrive? Also, make sure you are not running it straight from the zip file.

If still no joy, check on this for me:

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any these entries named as:

Workstation NetLogon Service

If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for any entries like this:

LEGACY Workstation NetLogon service (or something similar beginnnig with Legacy)

If you find it, right-click it in the right-pane and choose delete.

The above are my instructions for WinXP - not sure if the location is the same in win2k :unsure:

I'm glad to see you've begun working on your Windows Updates :thumb:

Don't forget to get SP1 for Internet Explorer 6.0 and of course, any of the others listed. Coolwebseach like to use the latest ones that aren't patched and we have had quite a few from Microsoft in recent months.

Thanks again for all of your help with this. Still getting the Run Time Error '13' with the AboutBuster tool. Ran the Hijack This program and fixed designated entries. Also used Regedit to correct entries as they were found. I will be applying SP1 to IE as soon as possible. Thanks for all of your time. I look forward to hearing about the error with AboutBuster.

The AboutBuster author has been working on that error today. Fixed it about an hour ago.

Runtime error 13 - Type mismatch bug fixed. Download new version here :)
http://www.malwarebytes.biz/AboutBuster.zip

Hopefully, it is working now. Let it scan twice and use the *Save Log* button. Copy and paste the report back here please :)

Downloaded new version of AboutBuster and ran without problems. Please find the log below. Once again I can't thank all of you enough for your assistance with this problem. You guys are great!

Scanned at: 8:28:08 AM on: 8/12/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 14

No ADS found on system
Removed! : C:\WINNT\addzk32.exe
Removed! : C:\WINNT\addzk32.exe.bak
Removed! : C:\WINNT\apimf32.exe
Removed! : C:\WINNT\apinh.exe
Removed! : C:\WINNT\atlhd32.exe
Removed! : C:\WINNT\kbojb.dat
Removed! : C:\WINNT\qgyse.dat
Removed! : C:\WINNT\qgyses.dat
Removed! : C:\WINNT\system32\iecm32.exe
Removed! : C:\WINNT\system32\iydmg.dat
Removed! : C:\WINNT\system32\lubld.dll
Removed! : C:\WINNT\system32\mswj32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 14

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Terrific! I knew AboutBuster would find more to fix once the problems with getting it to run were fixed and it did :)

Now that your PC is clean, you'll want to take some extra steps to keep it that way. See here for our recommendations on free programs and security precautions you can take:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx

You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.

Firefox
http://www.mozilla.org/products/firefox/

Once again I can't say enough good things about your service and this forum. I spoke with my son last night who, like you is a proponent of the Firefox browser which I will be downloading soon. I appreciate all of your assistance and don't take this the wrong way but I hope not to need your assistance again in the future. Thanks again.

You're very welcome. It has been a pleasure to help you