Newb here..IE has been hijacked, HELP!

Hello all...Newbie here! After several intense searches on how to fix my Hijacking issue, I have come to the conclusion that this would be the best place to seek help/advice. Can some one review my "Hijack this log," and provide me with instruction's on HOW and WHAT I need to do, to remove the culprit? I'd be eternally greatful!

Logfile of HijackThis v1.98.0
Scan saved at 1:19:43 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ntbu.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\WINDOWS\System32\fjmlue.exe
C:\WINDOWS\system32\sdkwi.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\licmb10n.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = URL (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mxoqy.dll/index.html#27063
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = URL (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1BF98538-B821-9B2B-6B34-38F2F81EB289} - C:\WINDOWS\system32\addhf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [UqMs] C:\documents and settings\dave\local settings\temp\UqMs.exe
O4 - HKLM\..\Run: [bS7Bq5] C:\documents and settings\dave\local settings\temp\bS7Bq5.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [szcgzkz] C:\WINDOWS\System32\fjmlue.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sdkwi.exe] C:\WINDOWS\system32\sdkwi.exe
O4 - HKLM\..\RunOnce: [d3sx.exe] C:\WINDOWS\d3sx.exe
O4 - HKLM\..\RunOnce: [mssp32.exe] C:\WINDOWS\system32\mssp32.exe
O4 - HKLM\..\RunOnce: [mswn32.exe] C:\WINDOWS\system32\mswn32.exe
O4 - HKLM\..\RunOnce: [atlcj.exe] C:\WINDOWS\atlcj.exe
O4 - HKLM\..\RunOnce: [netnj32.exe] C:\WINDOWS\netnj32.exe
O4 - HKLM\..\RunOnce: [nthv32.exe] C:\WINDOWS\system32\nthv32.exe
O4 - HKLM\..\RunOnce: [netnm32.exe] C:\WINDOWS\netnm32.exe
O4 - HKLM\..\RunOnce: [appva.exe] C:\WINDOWS\appva.exe
O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\system32\sdknv.exe
O4 - HKLM\..\RunOnce: [iedl32.exe] C:\WINDOWS\system32\iedl32.exe
O4 - HKLM\..\RunOnce: [mfcrs32.exe] C:\WINDOWS\mfcrs32.exe
O4 - HKLM\..\RunOnce: [msnz32.exe] C:\WINDOWS\system32\msnz32.exe
O4 - HKLM\..\RunOnce: [javalo32.exe] C:\WINDOWS\system32\javalo32.exe
O4 - HKLM\..\RunOnce: [mslt.exe] C:\WINDOWS\mslt.exe
O4 - HKLM\..\RunOnce: [ntzt.exe] C:\WINDOWS\ntzt.exe
O4 - HKLM\..\RunOnce: [msrz.exe] C:\WINDOWS\system32\msrz.exe
O4 - HKLM\..\RunOnce: [d3aw.exe] C:\WINDOWS\system32\d3aw.exe
O4 - HKLM\..\RunOnce: [sdksm32.exe] C:\WINDOWS\sdksm32.exe
O4 - HKLM\..\RunOnce: [ntci32.exe] C:\WINDOWS\system32\ntci32.exe
O4 - HKLM\..\RunOnce: [d3bx32.exe] C:\WINDOWS\d3bx32.exe
O4 - HKLM\..\RunOnce: [addmu32.exe] C:\WINDOWS\addmu32.exe
O4 - HKLM\..\RunOnce: [atlls.exe] C:\WINDOWS\atlls.exe
O4 - HKLM\..\RunOnce: [atlcu.exe] C:\WINDOWS\atlcu.exe
O4 - HKLM\..\RunOnce: [apixt32.exe] C:\WINDOWS\system32\apixt32.exe
O4 - HKLM\..\RunOnce: [sdksb.exe] C:\WINDOWS\system32\sdksb.exe
O4 - HKLM\..\RunOnce: [addxx32.exe] C:\WINDOWS\addxx32.exe
O4 - HKLM\..\RunOnce: [javapt.exe] C:\WINDOWS\system32\javapt.exe
O4 - HKLM\..\RunOnce: [appwq.exe] C:\WINDOWS\system32\appwq.exe
O4 - HKLM\..\RunOnce: [netzj.exe] C:\WINDOWS\netzj.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Dave"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Mw46Rjd4h] licmb10n.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O13 - DefaultPrefix: URL
O13 - WWW Prefix: URL
O13 - Home Prefix: URL
O13 - Mosaic Prefix: URL
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-116172758335} - mhtml:file://C:NO_SUCH_MHT.MHT!URL
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - URL
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - URL
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - URL
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - URL
O17 - HKLM\System\CCS\Services\Tcpip\..\{6092D047-7113-4BAF-9089-4507FF1D765C}: NameServer = 205.188.146.146
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

You have two infections. Please do the following:

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

or

http://tools.zerosrealm.com/CWShredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Once that is completed you should follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

AD-AWARE - Using Ad-aware to remove Spyware/Hijackers from Your Computer.

SPYBOT SEARCH AND DESTROY - Using Spybot - Search & Destroy to remove Spyware from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers