Home page has been jacked...... Please help

Below is the Hijack log.

Logfile of HijackThis v1.99.0
Scan saved at 5:28:33 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\AVTC\PasSrv.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Panda Software\AVTC\pavsrv51.exe
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
C:\Program Files\Panda Software\AVTC\ClShield.exe
C:\Program Files\Panda Software\AVTC\SRVLOAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\AVTC\WebProxy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\eplummer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\eplummer\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\eplummer\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58B2AAA9-704F-4BF2-A180-4AC5AD3DDE3D} - C:\WINDOWS\system32\gjpc.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\AVTC\ClShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098707955047
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = westga.edu
O17 - HKLM\Software\..\Telephony: DomainName = ads.westga.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = westga.edu
O18 - Filter: text/html - {62E76F89-97BA-435F-84A2-C2D267F0E129} - C:\WINDOWS\system32\gjpc.dll
O18 - Filter: text/plain - {62E76F89-97BA-435F-84A2-C2D267F0E129} - C:\WINDOWS\system32\gjpc.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda AntiSpam Server Service - Unknown - C:\Program Files\Panda Software\AVTC\PasSrv.exe
O23 - Service: Panda AdminSecure Communications Agent - Unknown - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler - Unknown - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Antivirus Report Service - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda ClientShield - Unknown - C:\Program Files\Panda Software\AVTC\pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Program Files\Panda Software\AVTC\PsImSvc.exe


Note: I have used Adware and spybot to find and delete files, however they continually show back up after trying to access Hotmail.

Any help would be appreciated.

Hi eplummer,

Please print or copy and paste these instructions into Notepad and save them on your desktop.

Ok these instructions are long and somewhat complicated. If you need help with any of the steps, please ask!

If more than one user account is infected with this same problem, please stay with this user account until it is clean, then we'll move on to the other account!

These are the tools needed of the fix.

Registrar Lite

CWShredder

Ad-Aware SE Personal Edition version 1.05


1. Download, install and run Registrar Lite.

2. Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under the programs section of your Start Menu.

3. Once registrar lite is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and press the enter key on your keyboard.

4. You will now be presented with new information in the bottom right and left sections and on the right section and the key called AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs key and write down the text found in the value field. This is the file that is causing the problem. It is possible that there is no file name in the AppInit_DLLs listed in the key when you double-click on it. Please continue with these steps anyways.

5. Exit Registrar Lite

6. Please make sure that you can view all hidden files.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

7. Create a new folder on your hard drive called c:\regbackup.

8. Run Registrar Lite again

9. Copy and paste:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

10. With the Windows key highlighted click on the File menu, and then click on export.

11. Enter winkey.reg in the name field and change the Save as Type to Regedit4 standard .reg files (*.reg)

12. Change the Save in: dropdown menu to c:\regbackup

13. Then press the Save button

14. With the Windows key highlighted again click on the File menu, and then click on export.

15. Enter Winkey.hiv in the name field and change the Save as Type to Regedt32/WinApi hive files (*.hiv,*.dat, *.*)

16. Change the Save in: dropdown menu to c:\regbackup

17. Then press the Save button

18. When both backups are successfully saved, right-click on the highlighted Windows key and click on the rename option. Rename the Windows key to Windows1.

19. With Windows1 highlighted, look in the right section and double-click on AppInit_DLLs and clear the text in the Value field. That is the dll you have seen previously in Step 4. If a file name does not exist there, then just press the OK button.

20. Rename Windows1 back to Windows and exit the Registrar Lite.

21. Reboot your computer.

22. When you are back at your desktop, navigate to the c:\regback folder. Double-click on the winkey.reg file. When it prompt if you would like to import/merge the data press the Yes button

23. Run Registrar Lite again

24. Copy and paste:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple.

25. While the Windows key is selected (highlighted purple/blue) in the left window, click on File and them Import.

26. Browse to c:\regback and select the winkey.hiv file that we created earlier and press the Open button. Then press the OK button.

27. Now double-click on the AppInit_DLLs key in the right section of the windows and clear the text in the Value field. If their is no DLL listed there, then just press OK.

28. Exit Registrar Lite

29. Now download Cwshredder from the link above.

30. After you download the program, unzip it into the directory c:\cwshredder. Make sure all browser windows are closed and double-click on the cwshredder.exe to start the program.

31. Next click on the FIX button, not the Scan Only button, let it scan your computer. When it is done, exit the program.

32. Next, using Internet Explorer, run both of these two online virus scans:

http://housecall.antivirus.com/

http://www.pandasoftware.com/activescan/

33. Please download and install the latest version of Ad-Aware from the link above.

34. When you run the program make sure you update it and then scan with it and fix any problems it finds.

35. Exit the program when you have fixed it everything it finds.

36. Finally, check to see if the file found in Step 4 still exists on your computer. If it does, delete it.

Please post a fresh HijackThis log.

Credit goes to Grinler for the writeup!

Tom