We've got a nasty browser hijack. I tried following advice from previous posters with similar situations, but no luck. One issue was that when I got to the step of running cleanmgr my system just hung there and wouldn't complete the process. In any case here is my log and any advice you could offer would be a huge, huge help.

Logfile of HijackThis v1.99.1
Scan saved at 8:05:49 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\WINDOWS\system32\msqh32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\ntkw32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Debra\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tmenn.dll/sp.html#24098
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Debra\Application Data\Mozilla\Profiles\default\jhvyuyux.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Debra\Application Data\Mozilla\Profiles\default\jhvyuyux.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {8138A2D4-0618-79E0-2F69-652F8ACFD32F} - C:\WINDOWS\system32\d3tj32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FE0C1535-D258-E58A-1983-206574280E88} - C:\WINDOWS\d3jb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0. dll
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [msqh32.exe] C:\WINDOWS\system32\msqh32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Robo TaskBar Icon &1 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra 'Tools' menuitem: Robo TaskBar Icon &1 - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04ab775128cde1731105/netzip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntkw32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Thanks in advance - this is driving me completely beserk.

Hello,dqw5644 & Welcome

The first thing i need you to do is move HijackThis to a
folder in C:\Drive like so C:\HJT

1. Print out these instructions or save them to your desktop as a text file with Notepad because you will be running the fixes in Safe Mode with IE closed.

2.Press control-alt-delete to get into the task manager and end the follow processes if they exist:
ntkw32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

3.Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I ) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

4. Prepare CWShredder for use: This is a free stand-alone program from Intermute.

Download CWShredder.
Save CWShredder.exe to a convenient location.
Please do not do anything with it yet.

5. Prepare AboutBuster for use:
Download the free tool AboutBuster here:
AboutBuster

or here:
http://malwarebytes.biz/AboutBuster.zip


* Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.

* Navigate to the AboutBuster directory and double-click on AboutBuster.exe.

* Click "OK" at the prompt with instructions.

* Click "Update" and then "Check For Update" to begin the update process.

* If any updates exist please download them by clicking "Download Update".

* You should not run the program yet so click "Exit".

6. Configure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

For Operating Systems other than XP, please see here:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

7. Download the free tool Hoster from here: http://www.funkytoad.com/download/hoster.zip

Unzip Hoster to a convenient location like your desktop and double click on

Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

8. Boot into Safe Mode: (Print out or copy the instructions appropriate for your operating system so have them handy when you need to return to normal mode.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

9. Run CWShredder:

* Double-click on CWShredder.exe.

* Click "Fix ->" and click "OK" at the prompt.

* CWShredder will scan and clean your system of CWS files.

* Click "Next->" and then "Exit".

10. Run AboutBuster and save the logs:


* Browse to where you saved AboutBuster and run AboutBuster.exe.

* Click OK at the directions prompt.

* Click Start and then OK to run

* Click Yes to allow it to shutdown explorer.exe.

* It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

* When it has finished, click Save Log. We will need you to post a copy of the log after all steps here are finished.

11. Clean out temporary files:


* Start | Run | type cleanmgr | OK

* Let it scan your system for files to remove.

* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

* Click "OK" to remove them.

* Click "Yes" to confirm the deletion.

12. Restart your computer normally to return to normal mode.

13. Get a Free TrendMicro Housecall scan:

* Visit the TrendMicro Housecall website.

* Select your country from the drop-down list and click "Go".

* Choose "Yes" at the ActiveX Security Warning prompt.

* Please wait while the Housecall engine is updated.

* Select the drives to be scanned by placing a check in their respective boxes.

* Check the "Auto Clean" box.

* Click "SCAN" in order to begin scanning your system.

* Please be patient while Housecall scans your system for malicious files.

* If not auto-cleaned, remove anything it finds.

* Click "Close" to exit the Housecall scanner.

* Choose "Yes" at the HouseCall message prompt.

14. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

ActiveX controls and plug-ins

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

15. In your next reply:

* Please post a fresh HijackThis log

* Please post the AboutBuster log.

* Please note any complications you had.

HGD