my IE is being hijacked by woheh.dll/index.html#96676

1. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "ntgr32.exe" & "mslr.exe" & "nfzggooe.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
4. Scroll down and find the service called "Network Security Service".
5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\woheh.dll/sp.html#96676
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://woheh.dll/index.html#96676
   R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://woheh.dll/index.html#96676
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\woheh.dll/sp.html#96676
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://woheh.dll/index.html#96676
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\woheh.dll/sp.html#96676

   O2 - BHO: (no name) - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\netip32.dll

   O4 - HKLM\..\Run: [mslr.exe] C:\WINDOWS\system32\mslr.exe
   O4 - HKLM\..\Run: [rkimtxhg] C:\WINDOWS\System32\nfzggooe.exe
   O4 - HKLM\..\RunOnce: [ntgr32.exe] C:\WINDOWS\system32\ntgr32.exe
   O4 - HKLM\..\RunOnce: [apine.exe] C:\WINDOWS\system32\apine.exe
   O4 - HKLM\..\RunOnce: [netdf.exe] C:\WINDOWS\system32\netdf.exe
   

7. Reboot into Safe Mode - How do I boot into "Safe" mode?, and delete the following files:

   C:\WINDOWS\woheh.dll< file

   C:\WINDOWS\netip32.dll< file

   C:\WINDOWS\system32\mslr.exe< file
   C:\WINDOWS\System32\nfzggooe.exe< file
   C:\WINDOWS\system32\ntgr32.exe< file
   C:\WINDOWS\system32\apine.exe< file
   C:\WINDOWS\system32\netdf.exe< file

8. Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
9. One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
   If __NS_Service_3 exists , right click on it and choose delete from the menu.
10. Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
    If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
11. Exit regedit and reboot in Normal Mode.
12. Two files (Possibly three) were also deleted from your computer and need to be replaced.
    • control.exe - Go to Merijn Files (control) and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
    • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.
    • If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
13. Run HiJackThis again and post a new log in this thread.

hello thank you for the help. I have done everything you recommended and I will post my fresh log here now. There are only a couple of things that were not there to delete. I dont know if it was better that they weren't there or not but these things I did not find in the pc:

7. c:\windows\netip32.dll
c:\windows\system32\mslr.exe
c:\windows\system32\apine.exe
c:\windows\system32\netdf.exe

the only other thing was this registry key was not able to be deleted because it kept giving me a "cannot delete: error while deleting" the key was

10. hkey_local_machine\system\currentcontrolset\enum\root\legacy_ns_service_3

my fresh log:

Logfile of HijackThis v1.97.7
Scan saved at 4:35:30 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\croe32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\All Users\Documents\antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ev1.net/
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2820133F-6D1C-8230-4635-3EC22B4F8C38} - C:\WINDOWS\netqh.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [appdt32.exe] C:\WINDOWS\appdt32.exe
O4 - HKLM\..\RunOnce: [iemd.exe] C:\WINDOWS\system32\iemd.exe
O4 - HKLM\..\RunOnce: [addqb32.exe] C:\WINDOWS\addqb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSoffice2000\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E11CA7B-6C2F-47A8-9BFD-7C14BFDA496F}: NameServer = 207.218.192.38 207.218.192.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E11CA7B-6C2F-47A8-9BFD-7C14BFDA496F}: NameServer = 207.218.192.38 207.218.192.39

thanks again! I will check back here to look for your update and to make sure everything in the new log looks okay to you.
Thanks

It *looks* like the hijack has gone. Just a few others to remove now.

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\WINDOWS\system32\croe32.exe< file
C:\WINDOWS\netqh.dll< file
C:\WINDOWS\appdt32.exe< file
C:\WINDOWS\system32\iemd.exe< file
C:\WINDOWS\addqb32.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O2 - BHO: (no name) - {2820133F-6D1C-8230-4635-3EC22B4F8C38} - C:\WINDOWS\netqh.dll

O4 - HKLM\..\RunOnce: [appdt32.exe] C:\WINDOWS\appdt32.exe
O4 - HKLM\..\RunOnce: [iemd.exe] C:\WINDOWS\system32\iemd.exe
O4 - HKLM\..\RunOnce: [addqb32.exe] C:\WINDOWS\addqb32.exe

O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

Reboot normally after doing the above then post a fresh log plz.