Hi,

I'm working on a neighbours PC running XP to try and stop it throwing pop-ups and auto dialing. I've run scans with Norton AV and PestPatrol, both these now report the machine clean. But when IE is started it tries dialing the internet periodically.

I downloaded and ran HijackThis it gives the attached log, can anyone kindly spread any light on possilbe problems?

Logfile of HijackThis v1.98.0
Scan saved at 13:46:32, on 14/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\wdskctl.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\WINDOWS\System32\taskmgr.exe
C:\system recovery files mark July 2004\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9908/se...00000860001&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [xotqfon] C:\WINDOWS\xotqfon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [oreuxd] C:\WINDOWS\System32\bkzzww.exe
O4 - HKLM\..\Run: [bqbwz] C:\WINDOWS\bqbwz.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [twh] C:\WINDOWS\twh.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

Many thanks in advance for any help.

Cheers
Mark

Hello,

Your neighbour has got a hijacker there and we will use Hijack This to get rid of it. Your neighbours computer is also suffering from a lack of Windows Updates. We will deal with that afterwards.

Could you please download and run CWShredder which will get rid of the majority of CWS Browser Hijacker infections. Please ensure that you click Fix and click Ok to any prompts. Make sure you don't only scan.

Thanks for the confirmation, I've run CWShredder and it now reports the PC as being clean.

I ran HijackThis again too and the log now looks like:

Logfile of HijackThis v1.98.0
Scan saved at 16:43:09, on 14/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\System32\automove.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\system recovery files mark July 2004\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [xotqfon] C:\WINDOWS\xotqfon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [oreuxd] C:\WINDOWS\System32\bkzzww.exe
O4 - HKLM\..\Run: [bqbwz] C:\WINDOWS\bqbwz.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [twh] C:\WINDOWS\twh.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

Any other advice gratefully received.

Thanks
Mark

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O4 - HKLM\..\Run: [xotqfon] C:\WINDOWS\xotqfon.exe

O4 - HKLM\..\Run: [oreuxd] C:\WINDOWS\System32\bkzzww.exe
O4 - HKLM\..\Run: [bqbwz] C:\WINDOWS\bqbwz.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [twh] C:\WINDOWS\twh.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

Make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode then find and delete:

C:\WINDOWS\System32\SWin32.dll <-------- Delete this file.
C:\WINDOWS\xotqfon.exe <-------- Delete this file.
C:\WINDOWS\bqbwz.exe <-------- Delete this file.
C:\WINDOWS\wdskctl.exe <-------- Delete this file.
C:\WINDOWS\System32\automove.exe <-------- Delete this file.
C:\WINDOWS\twh.exe <-------- Delete this file.
C:\Program Files\TV Media <-------- Delete this folder.

Click here to make sure that you have the latest patches for Windows. Click here to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks.

Reboot, then post another log.

Thanks for the advice, I've done the fix and removed the suggested files, then I tried windows update and there's the rub, the copy of XP installed on the machine is not a valid copy I'm dismantling the machine to return it across the road and will suggest he gets in touch with whoever sold him the machine.

For interest the log now looks like:

Logfile of HijackThis v1.98.0
Scan saved at 15:43:51, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\system recovery files mark July 2004\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [oreuxd] C:\WINDOWS\System32\bkzzww.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

Thanks for your help

Mark

Please close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O4 - HKLM\..\Run: [oreuxd] C:\WINDOWS\System32\bkzzww.exe

Click Fix Checked

Boot into Safe Mode

Then, ensuring that you are showing hidden files and folders (link in my signature), go to C:\Windows\System32 and delete bkzzww.exe.

Reboot

Post a fresh log

Not being able to update Windows is serious. Thats why you need to ensure that your copy (referring to your neighbour) is bought legally and is not a copy owned by somebody else.

That wuz a little bit conpuzzleing ...but IT workt TY,TY,TY ...DAMN coolwebssearch

There pretty simple once your actually following them