Running Win XP and IE 6. When I do a Google search or anything else that gives me a list of links to choose from, many of them take me to some garbage site when clicked on. Sometimes the site even takes over IE telling me my PC is infected and starts trying to download some cleaner. I know I'm hijacked, but I can't figure out how to get rid of it. I've ran AdAware, SpyBot, Avast, and Ewido all in both normal and Safe Mode. The only thing that stands out from all of that is that Ewido found "Downloader.Agent.uj" and didn't seem to be able to remove it.
Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:53:00 PM, on 10/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\csrss.
exe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\LEXBCE
S.EXE
C:\WINDOWS\system32\LEXPPS
.EXE
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Cox\Applications\app
\Prism.exe
C:\WINDOWS\system32\devldr
32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
xe
C:\Program Files\Alwil Software\Avast4\ashServ.ex
e
C:\WINDOWS\System32\CTsvcC
DA.EXE
c:\program files\cox\applications\app
\CurtainsS
ysSvcNt.ex
e
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\nvsvc3
2.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\wdfmgr
.exe
C:\WINDOWS\System32\MsPMSP
Sv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
xe
C:\Program Files\Alwil Software\Avast4\ashWebSv.e
xe
C:\WINDOWS\System32\alg.ex
e
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcm
d.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Dell\Support\Alert\b
in\DAMon.e
xe
C:\PROGRA~1\TEXTBR~1.0\Bin
\INSTAN~1.
EXE
C:\Program Files\LiquidView\lviewj.ex
e
C:\WINDOWS\system32\ICO.EX
E
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin
\jusched.e
xe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast
4\ashDisp.
exe
C:\WINDOWS\system32\RUNDLL
32.EXE
C:\PROGRA~1\PANICW~1\POP-U
P~1\PSFree
.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.dellnet.comR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.htmlR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://phoenix.cox.net/R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.cox.netR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.htmlR0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.comR1 - HKCU\Software\Microsoft\In
ternet Explorer\SearchURL,(Defaul
t) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.comR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page_bak =
http://www.cox.net/R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
32\auserin
it.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0
B5F309A0E6
4} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
4DAF1D92D4
3} - C:\Program Files\Java\jre1.5.0_06\bin
\ssv.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A
2AB4D9A672
D} - C:\Program Files\Cox\Applications\app
\AuthBHO.d
ll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2
09B6AD74AC
C} - (no file)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9
620D33362C
1} - C:\Program Files\Cox\Applications\app
\AuthBHO.d
ll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
dll,NvStar
tup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Prog
ram\AHQIni
t.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcm
d.exe" /server
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\b
in\DAMon.e
xe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin
\INSTAN~1.
EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
\REGIST~1.
EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LiquidView] C:\Program Files\LiquidView\lviewj.ex
e -nogui
O4 - HKLM\..\Run: [1Srv32] C:\Program Files\Spytech Software\Spytech SpyAgent\SpyAgent4.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
eck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
\jusched.e
xe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
4\ashDisp.
exe
O4 - HKLM\..\Run: [dmqvy.exe] C:\WINDOWS\system32\dmqvy.
exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin
\REGIST~1.
EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTR
AY.DLL,NvT
askbarInit
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-
UP~1\PSFre
e.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
obe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Mic
rosoft\Int
ernet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_06\bin
\npjpi150_
06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_06\bin
\npjpi150_
06.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-5
1FB2220DF8
0} - C:\WINDOWS\System32\shdocv
w.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-5
1FB2220DF8
0} - C:\WINDOWS\System32\shdocv
w.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A
9046DEA8A2
1} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=
http://www.cox.netO16 - DPF: {01113300-3E00-11D2-8470-0
060089874E
D} (Support.com Configuration Class) -
http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-0
0104BD12D9
4} (PCPitstop Utility) -
http://support.gateway.com/support/profiler/PCPitStop.CABO16 - DPF: {0E8D0700-75DF-11D3-8B4A-0
008C7450C4
A} (DjVuCtl Class) -
http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cabO16 - DPF: {1663ed61-23eb-11d2-b92f-0
08048fdd81
4} (MeadCo ScriptX Basic) -
https://secure.bcbsaz.com/cabs/ScriptX.cabO16 - DPF: {17492023-C23A-453E-A040-C
7C580BBF70
0} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2FC9A21E-2069-4E47-8235-3
6318989DB1
3} (PPSDKActiveXScanner.MainS
creen) -
http://www.pestscan.com/scanner/axscanner.cabO16 - DPF: {41F17733-B041-4099-A042-B
518BB6A408
C} -
http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exeO16 - DPF: {56336BCB-3D8A-11D6-A00B-0
050DA18DE7
1} -
http://207.188.7.150/23e69ecdd670c4f25906/netzip/RdxIE601.cabO16 - DPF: {638AF6A2-81A1-4655-9FFA-9
FC09CDE22C
F} (CScanner Object) -
http://www.pestscan.com/scanner/ppctlcab.cabO16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093145691390O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-7
43C63F2E5E
6} (IWinAmpActiveX Class) -
http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabO17 - HKLM\System\CCS\Services\T
cpip\..\{6
3AC68C7-FB
F4-4646-A6
64-3F92946
D3B13}: NameServer = 85.255.113.125,85.255.112.
214
O17 - HKLM\System\CCS\Services\T
cpip\..\{A
156E558-D7
9E-49E8-80
20-2DAF2F1
D4E9F}: NameServer = 85.255.113.125,85.255.112.
214
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: NameServer = 85.255.113.125 85.255.112.214
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: NameServer = 85.255.113.125 85.255.112.214
O17 - HKLM\System\CCS\Services\T
cpip\Param
eters: NameServer = 85.255.113.125 85.255.112.214
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
E305202313
F} - "C:\PROGRA~1\MSNMES~1\msgr
app.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
on.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
xe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.ex
e
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
xe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
xe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcC
DA.EXE
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app
\CurtainsS
ysSvcNt.ex
e
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
S.EXE
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlad
hlp.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
2.exe
O23 - Service: service - Unknown owner - C:\WINDOWS\SERVICE.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Start Free Trial
