Need help with hijacked computer and stubborn spyware please

Hello,

Unfortunatly, my homepage was hijacked. I have run CWS, Spybot, adaware, ect. and I can not get it to budge! I would REALLY appriciate help on this. Thanks to any brilliant mind that helps.

Oh yea, BTW, i dont have a clue what the log means, does, or how it needs to be fixed.

Here is my hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 2:02:01 PM, on 12/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\d3gs.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\documents and settings\chris\local settings\temp\ZLIzGvAS.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Documents and Settings\Chris\Application Data\rrup.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nettb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {39003147-0564-FC80-401D-657710C0FEE1} - C:\WINDOWS\winnv32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ZxCfU.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZbybL] C:\documents and settings\chris\local settings\temp\ZbybL.exe
O4 - HKLM\..\Run: [ZLIzGvAS] C:\documents and settings\chris\local settings\temp\ZLIzGvAS.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [nettb.exe] C:\WINDOWS\system32\nettb.exe
O4 - HKLM\..\RunOnce: [d3gs.exe] C:\WINDOWS\d3gs.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Chris\Application Data\rrup.exe
O4 - HKCU\..\Run: [Pbphii] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18af265b80b881d3b417/netzip/RdxIE601.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Tmesbs32 - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ieym.exe (file missing)

Hi AndrewZ,

Please follow all instructions in the order they are presented, or the fix will not work!

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet and in safe mode while performing this fix

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Just update it for now, you will scan with it later!

Next...

Please download AboutBuster 4.0

http://downloads.subratam.org/AboutBuster.zip

Save it to a new folder such as a C:\AboutBuster

Unzip it and run AboutBuster.exe. Then hit Ok, note that there is now an update button. Hit update and 'Check for Update'. If there is a newer version hit 'Download Update'.

Just update it for now, we will use it later!

Next...

Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Go to Start > Run and type "Services.msc" (without the quotes) then hit Ok. Scroll down and find the service called:

Network Security Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Next...

Press control-alt-delete to get into the Task Manager and end the follow processes if they exist:

system.ini:lwteb

Next...

Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {39003147-0564-FC80-401D-657710C0FEE1} - C:\WINDOWS\winnv32.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ZxCfU.dll
O4 - HKLM\..\Run: [ZbybL] C:\documents and settings\chris\local settings\temp\ZbybL.exe
O4 - HKLM\..\Run: [ZLIzGvAS] C:\documents and settings\chris\local settings\temp\ZLIzGvAS.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [nettb.exe] C:\WINDOWS\system32\nettb.exe
O4 - HKLM\..\RunOnce: [d3gs.exe] C:\WINDOWS\d3gs.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Chris\Application Data\rrup.exe
O4 - HKCU\..\Run: [Pbphii] C:\WINDOWS\System32\l?gonui.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18af265b80b881d3b417/netzip/RdxIE601.cab
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ieym.exe (file missing)

These are resource hogs that can be fixed also:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Search for and delete the following files:

C:\WINDOWS\winnv32.dll
C:\Documents and Settings\Chris\Local Settings\Temp\ZxCfU.dll
C:\documents and settings\chris\local settings\temp\ZbybL.exe
C:\documents and settings\chris\local settings\temp\ZLIzGvAS.exe
C:\WINDOWS\system32\nettb.exe
C:\WINDOWS\d3gs.exe
C:\Documents and Settings\Chris\Application Data\rrup.exe

Search for and delete the following folders:

C:\Program Files\Windows ServeAd < delete the entire Windows ServeAd folder

Next...

Go to Start-> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any these entries named as:

O? ’ŽrtñåȲ$Ó or N S Service

If any are listed, right-click that entry in the right pane and choose Delete

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for any entries like this:

LEGACY ½ O? ’ŽrtñåȲ$Ó or LEGACY N S Service

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key, then click once on the key name to highlight it and click on the Permission menu option under Security or Edit.Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Browse to C:\AboutBuster and run aboutbuster.exe. If the tool asks you to perform a second pass, allow it to do it. Please copy and paste the final AboutBuster log to a text file and save it on your desktop.

Next...

Copy the contents of the Quote Box to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Next...

Perform a "Full system scan" with Adaware. Allow it to remove anything it finds.

Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:

Temporary Internet Files
Recycle Bin
Temporary Files

Then click OK.

Reboot normally.

Next...

I would like you to perform an onlne virus scan at Trend Micro

http://housecall.trendmicro.com/

Select all of your drives for scanning. Please check "Auto clean" before scanning.

If you can, copy and paste the report logs from the scan into your next post along with the AboutBuster log and a fresh HijackThis log..

Tom