Member Avatar for miamibahamas03

:cry: Calling all reg experts!

I ran Hijack This & have highlighted reg errors that I suspect to be malware. How do I get rid of them? My home page keeps on resetting to this baszu.dll search page.

Logfile of HijackThis v1.98.0
Scan saved at 1:17:58 PM, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\winbd32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\netce.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\regedit.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\User\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bazsu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bazsu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bazsu.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bazsu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bazsu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bazsu.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {9E6831BF-99D6-C366-55D9-783927C20928} - C:\WINDOWS\sdkgp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netce.exe] C:\WINDOWS\netce.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\winbd32.exe
O4 - HKLM\..\RunOnce: [netgv32.exe] C:\WINDOWS\system32\netgv32.exe
O4 - HKLM\..\RunOnce: [winvv.exe] C:\WINDOWS\system32\winvv.exe
O4 - HKLM\..\RunOnce: [apiqn.exe] C:\WINDOWS\apiqn.exe
O4 - HKLM\..\RunOnce: [mfchz32.exe] C:\WINDOWS\system32\mfchz32.exe
O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe
O4 - HKLM\..\RunOnce: [crat32.exe] C:\WINDOWS\system32\crat32.exe
O4 - HKLM\..\RunOnce: [ntfb.exe] C:\WINDOWS\ntfb.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O18 - Protocol: icoo - {2CC63CCE-A945-4D6A-9FA0-3669D7C3C22C} - (no file)

This seems to be a relatively new hijack as I can't find any info on the web about it.

Thanks in advance!

  • 2 Contributors
  • 7 Replies
  • 145 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by crunchie
Member Avatar for crunchie

You can either use system restore to go back to a time before this hijack, or:

  1. Make sure your settings allow you to view "Hidden files" & "hide protected operating system files" is unchecked. Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "winbd32.exe" & "netce.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
  3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
  4. Scroll down and find the service called "Network Security Service".
  5. When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
  6. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bazsu.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bazsu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bazsu.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bazsu.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bazsu.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bazsu.dll/index.html#37049

    O2 - BHO: (no name) - {9E6831BF-99D6-C366-55D9-783927C20928} - C:\WINDOWS\sdkgp.dll

    O4 - HKLM\..\Run: [netce.exe] C:\WINDOWS\netce.exe
    O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\winbd32.exe
    O4 - HKLM\..\RunOnce: [netgv32.exe] C:\WINDOWS\system32\netgv32.exe
    O4 - HKLM\..\RunOnce: [winvv.exe] C:\WINDOWS\system32\winvv.exe
    O4 - HKLM\..\RunOnce: [apiqn.exe] C:\WINDOWS\apiqn.exe
    O4 - HKLM\..\RunOnce: [mfchz32.exe] C:\WINDOWS\system32\mfchz32.exe
    O4 - HKLM\..\RunOnce: [ierl32.exe] C:\WINDOWS\system32\ierl32.exe
    O4 - HKLM\..\RunOnce: [crat32.exe] C:\WINDOWS\system32\crat32.exe
    O4 - HKLM\..\RunOnce: [ntfb.exe] C:\WINDOWS\ntfb.exe


  7. Reboot into Safe Mode - How do I boot into "Safe" mode? , and delete the following files:

    C:\WINDOWS\bazsu.dll

    C:\WINDOWS\sdkgp.dll

    C:\WINDOWS\netce.exe
    C:\WINDOWS\winbd32.exe
    C:\WINDOWS\system32\netgv32.exe
    C:\WINDOWS\system32\winvv.exe
    C:\WINDOWS\apiqn.exe
    C:\WINDOWS\system32\mfchz32.exe
    C:\WINDOWS\system32\ierl32.exe
    C:\WINDOWS\system32\crat32.exe
    C:\WINDOWS\ntfb.exe


    Reboot in Normal Mode.
    Download the file attached to this post and rename it to cwsuninst.reg
    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.

    File Attachment

    Extra notes
    If given full internet access this variant will delete:
    - your hosts file (good replacements can be found here or here )
    - Spybot S&D's BHO (download SDHelper.dll, put it in the Spybot folder (default is: C:\Program Files\Spybot - Search & Destroy\) and click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" > OK
    - control.exe: follow instructions here: http://www.spywareinfo.com/~merijn/winfiles.html

Member Avatar for miamibahamas03

Thanks for the help, crunchie! Sorry it took so long to re-post my log. Been crazy @ work!

I could not fix/delete the following:

From Hijack This:

O2 - BHO: (no name) - {9E6831BF-99D6-C366-55D9-783927C20928} - C:\WINDOWS\sdkgp.dll

Did not appear in the log.

From C:\WINDOWS...

C:\WINDOWS\bazsu.dll not in folder
C:\WINDOWS\sdkgp.dll not in folder

Files similar to the ones below were found in C:\WINDOWS\prefetch but not in the exact location as indicated. I didn't delete any of them.

C:\WINDOWS\netce.exe
C:\WINDOWS\winbd32.exe
C:\WINDOWS\system32\netgv32.exe
C:\WINDOWS\system32\winvv.exe
C:\WINDOWS\apiqn.exe
C:\WINDOWS\system32\mfchz32.exe
C:\WINDOWS\system32\ierl32.exe
C:\WINDOWS\system32\crat32.exe
C:\WINDOWS\ntfb.exe

This is my new log...

Logfile of HijackThis v1.98.0
Scan saved at 8:04:22 PM, on 26/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\winbd32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\netce.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {8F626EE5-B30B-3F5E-3FD1-BFA5F18BA72F} - C:\WINDOWS\addvf32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netce.exe] C:\WINDOWS\netce.exe
O4 - HKLM\..\RunOnce: [crvk.exe] C:\WINDOWS\system32\crvk.exe
O4 - HKLM\..\RunOnce: [ipjh.exe] C:\WINDOWS\ipjh.exe
O4 - HKLM\..\RunOnce: [d3cd.exe] C:\WINDOWS\d3cd.exe
O4 - HKLM\..\RunOnce: [d3fc.exe] C:\WINDOWS\system32\d3fc.exe
O4 - HKLM\..\RunOnce: [javanx32.exe] C:\WINDOWS\system32\javanx32.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\winbd32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O18 - Protocol: icoo - {2CC63CCE-A945-4D6A-9FA0-3669D7C3C22C} - (no file)

Look forward to your reply.

Thanks again!

Member Avatar for crunchie

Hi again. Still have some files left over. Will remove them with hijackthis, then you can run another removal tool that is proving effective against this hijacker.

Download the following tools but do not run them until asked. Update Adaware immediately after installing it.

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

*********************************************************
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {8F626EE5-B30B-3F5E-3FD1-BFA5F18BA72F} - C:\WINDOWS\addvf32.dll
O4 - HKLM\..\Run: [netce.exe] C:\WINDOWS\netce.exe
O4 - HKLM\..\RunOnce: [crvk.exe] C:\WINDOWS\system32\crvk.exe
O4 - HKLM\..\RunOnce: [ipjh.exe] C:\WINDOWS\ipjh.exe
O4 - HKLM\..\RunOnce: [d3cd.exe] C:\WINDOWS\d3cd.exe
O4 - HKLM\..\RunOnce: [d3fc.exe] C:\WINDOWS\system32\d3fc.exe
O4 - HKLM\..\RunOnce: [javanx32.exe] C:\WINDOWS\system32\javanx32.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\winbd32.exe

O18 - Protocol: icoo - {2CC63CCE-A945-4D6A-9FA0-3669D7C3C22C} - (no file)

*********************************************************

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode. Post another log please as well as the results from the about:buster log.

Member Avatar for miamibahamas03

Here's the new HJT Log...

Logfile of HijackThis v1.98.0
Scan saved at 7:41:45 PM, on 28/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ca.msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46F3B906-9341-261A-174E-A449FCEEC741} - C:\WINDOWS\system32\crgr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O18 - Protocol: icoo - {2CC63CCE-A945-4D6A-9FA0-3669D7C3C22C} - (no file)

& the about:buster results...

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\addvf32.dll
Removed! : C:\WINDOWS\apiqn.exe
Removed! : C:\WINDOWS\appee.exe
Removed! : C:\WINDOWS\asvknu.dat
Removed! : C:\WINDOWS\ayeww.dat
Removed! : C:\WINDOWS\bazsu.dat
Removed! : C:\WINDOWS\cdngia.dat
Removed! : C:\WINDOWS\cedrm.dat
Error Removing! : C:\WINDOWS\cpkxjp.dat
Removed! : C:\WINDOWS\d3cd.exe
Removed! : C:\WINDOWS\dbdtwv.dat
Removed! : C:\WINDOWS\ejnxlj.dat
Removed! : C:\WINDOWS\eoxbai.dat
Removed! : C:\WINDOWS\evisa.dat
Error Removing! : C:\WINDOWS\fajhkg.dat
Error Removing! : C:\WINDOWS\frbdor.dat
Error Removing! : C:\WINDOWS\icqngq.dat
Removed! : C:\WINDOWS\iphvh.dat
Removed! : C:\WINDOWS\ipjh.exe
Removed! : C:\WINDOWS\iwhxhq.dat
Error Removing! : C:\WINDOWS\jatqtv.dat
Removed! : C:\WINDOWS\javaja32.dll
Removed! : C:\WINDOWS\jgijsw.dat
Removed! : C:\WINDOWS\jzatcw.dat
Removed! : C:\WINDOWS\kdeegc.dat
Removed! : C:\WINDOWS\kfvvle.dat
Removed! : C:\WINDOWS\lufnrl.dat
Removed! : C:\WINDOWS\migsxl.dat
Removed! : C:\WINDOWS\msgo.dll
Error Removing! : C:\WINDOWS\msif32.dll
Removed! : C:\WINDOWS\netce.exe
Removed! : C:\WINDOWS\ntbu.exe
Removed! : C:\WINDOWS\ntfb.exe
Error Removing! : C:\WINDOWS\ntky.dll
Error Removing! : C:\WINDOWS\n_bmwhcw.dat
Removed! : C:\WINDOWS\n_kfvvle.dat
Removed! : C:\WINDOWS\n_wzefuc.dat
Removed! : C:\WINDOWS\n_xeswxp.dat
Removed! : C:\WINDOWS\odpmr.dat
Removed! : C:\WINDOWS\ohhzzx.dat
Removed! : C:\WINDOWS\oqdmpu.dat
Error Removing! : C:\WINDOWS\qffbew.dat
Removed! : C:\WINDOWS\qtzvue.dat
Removed! : C:\WINDOWS\riyxrc.dat
Removed! : C:\WINDOWS\scxzb.dll
Error Removing! : C:\WINDOWS\tgwnbu.dat
Removed! : C:\WINDOWS\urhkoa.dat
Error Removing! : C:\WINDOWS\waubvh.dat
Removed! : C:\WINDOWS\winbd32.exe
Removed! : C:\WINDOWS\wwerq.dat
Removed! : C:\WINDOWS\xdexin.dat
Removed! : C:\WINDOWS\xkuyx.dat
Removed! : C:\WINDOWS\xnflyp.dat
Removed! : C:\WINDOWS\xpkms.dat
Removed! : C:\WINDOWS\xXhdlZP.exe
Removed! : C:\WINDOWS\ywxrzt.dat
Removed! : C:\WINDOWS\zumajx.dat
Removed! : C:\WINDOWS\zzqnuz.dat
Error Removing! : C:\WINDOWS\System32\atlod32.dll
Removed! : C:\WINDOWS\System32\atlsw32.exe
Removed! : C:\WINDOWS\System32\btsvr.dat
Removed! : C:\WINDOWS\System32\crat32.exe
Error Removing! : C:\WINDOWS\System32\crgr.dll
Removed! : C:\WINDOWS\System32\crvk.exe
Error Removing! : C:\WINDOWS\System32\d3an32.dll
Removed! : C:\WINDOWS\System32\d3fc.exe
Removed! : C:\WINDOWS\System32\dcvyy.dat
Removed! : C:\WINDOWS\System32\dpqmo.dat
Removed! : C:\WINDOWS\System32\fnouk.dat
Removed! : C:\WINDOWS\System32\fnouk.dll
Removed! : C:\WINDOWS\System32\ierl32.exe
Removed! : C:\WINDOWS\System32\ihmyk.dat
Removed! : C:\WINDOWS\System32\javanx32.exe
Removed! : C:\WINDOWS\System32\mfchz32.exe
Error Removing! : C:\WINDOWS\System32\netau.dll
Removed! : C:\WINDOWS\System32\netgv32.exe
Removed! : C:\WINDOWS\System32\rkicp.dat
Error Removing! : C:\WINDOWS\System32\sdkdc.dll
Removed! : C:\WINDOWS\System32\whlgz.dat
Removed! : C:\WINDOWS\System32\winvv.exe
Removed! : C:\WINDOWS\System32\zumaj.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Error Removing! : C:\WINDOWS\cpkxjp.dat
Error Removing! : C:\WINDOWS\fajhkg.dat
Error Removing! : C:\WINDOWS\frbdor.dat
Error Removing! : C:\WINDOWS\icqngq.dat
Error Removing! : C:\WINDOWS\jatqtv.dat
Error Removing! : C:\WINDOWS\msif32.dll
Error Removing! : C:\WINDOWS\ntky.dll
Error Removing! : C:\WINDOWS\n_bmwhcw.dat
Removed! : C:\WINDOWS\qffbew.dat
Error Removing! : C:\WINDOWS\tgwnbu.dat
Error Removing! : C:\WINDOWS\waubvh.dat
Removed! : C:\WINDOWS\System32\atlod32.dll
Error Removing! : C:\WINDOWS\System32\crgr.dll
Removed! : C:\WINDOWS\System32\d3an32.dll
Removed! : C:\WINDOWS\System32\netau.dll
Removed! : C:\WINDOWS\System32\sdkdc.dll
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

My home page is already looking better ;)

Member Avatar for crunchie

Just this one & you should be right :)

O2 - BHO: (no name) - {46F3B906-9341-261A-174E-A449FCEEC741} - C:\WINDOWS\system32\crgr.dll

Member Avatar for miamibahamas03

Thanks. Looks like we fixed it.

:)

Member Avatar for crunchie

You're welcome :) . Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.