serious security issues

I am running Windows XP, and I'm having some problems. My default home page is 'about:blank' but the page is actually some kind of 'home search' page. I get pop-ups from search-to-find.com, and when I search with google.com, another page (i think it is search-to-find.com) with my search also comes up. I've run spybot and ad-aware, and i cant fix anything. Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 12:34:50 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\addts.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\mfcoc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Spyware tools\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2402C3DD-91D9-B6F7-07F1-480D80055DEE} - C:\WINDOWS\mses32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [mfcoc32.exe] C:\WINDOWS\mfcoc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O19 - User stylesheet: (file missing)

 

Download CWShredder and save it to your desktop.

Run HJT and have it fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qagwt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab


I'd also have it fix the following if it were my PC. Not malware but startup items that add sludge to your system for no real benefit.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

And you really need to update your Sun Java from version 03 to 05
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

I don't recognize this one so unless you know exactly what it is, suspect malware and consider removing the entry and the file itself.
O4 - HKLM\..\Run: [mfcoc32.exe] C:\WINDOWS\mfcoc32.exe

Then boot to safe mode and with Windows Explorer set to show all files and then with all windows closed

Open CWShredder and click fix.
Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.
Open Ad-aware and run. Delete all it finds.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.

Reboot

If you want a blank homepage you can certainly use one but these days, about:blank is a problem so
Open notepad to a blank page.
Save that page as c:\windows\web\blank.htm (set notepad to 'all files' so it doesn't add .txt to the end of the filename)
Open IE and change your home page to c:\windows\web\blank.htm

Run another HJT scan and post the results.

 

here is the new log...

Logfile of HijackThis v1.98.2
Scan saved at 1:46:49 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\addts.exe
C:\WINDOWS\system32\winim32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\Spyware tools\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pxqbz.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {287938FC-C69F-49E4-E2F9-36D6EEADCDF7} - C:\WINDOWS\system32\apidk.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [winim32.exe] C:\WINDOWS\system32\winim32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

i have no idea what winim32 or apidk.dll are..they just came up. the pxqbz.dll stuff just came back up after i closed IE and ran hjt again...that same problem recurs but with a different named dll file

 

OK. Sorry to see that junk show up again. There is obviously something I'm missing and rather than us both spending a lot of time spinning our wheels for no really good result, I think it will be best to let this problem wait on one of the real security experts to take a look and direct the cleanup efforts from here. We have about a half-dozen regulars on here who are really good with this stuff and at this point, I'm only fair.

Most of them tend to be late-night posters though so it may be a while.

 

http://www.majorgeeks.com/download4289.html
Get About:Buster from the above link, there are some instructions on that page on how to use it.

 

Whew - and thank goodness for experts. Thanks markp62.

 

After downloading AboutBuster, run HijackThis again and place a check beside each of the following items. Then click fix.

O2 - BHO: (no name) - {287938FC-C69F-49E4-E2F9-36D6EEADCDF7} - C:\WINDOWS\system32\apidk.dll
O4 - HKLM\..\Run: [winim32.exe] C:\WINDOWS\system32\winim32.exe


Unzip AboutBuster to a folder on your desktop. Double click AboutBuster.exe and click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit.
Close ALL Internet Explorer windows. This is a very important step!!
Click start and then Ok. The program should start scanning. Wait for it to finish (may take a while), then hit exit and reboot.

Once rebooted run About:Buster once more to make sure everything is ok.

Reboot and run another HijackThis scan and post the log.

 

well, that helped me with my problem, and my computer was ok for about a half hour, and now i have the 'neo toolbar' and 8 new shortcuts on my desktop. i dont know what to do now, ive tried adaware, spybot, cqshredder, hjt, and aboutbuster..heres my new log.

Logfile of HijackThis v1.98.2
Scan saved at 1:49:56 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\Spyware tools\hjt\HijackThis.exe

O2 - BHO: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

 

Fix these with HJT.
O2 - BHO: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
Then delete this file.
C:\WINDOWS\System32\msqsb.dll
Hopefully you are clean after this, but surf for a bit, and then post a new log to be sure.

 

i fixed them, but for some reason i still cant delete msqsb.dll, even in safe mode.

 

Get MoveOnBoot.

 

k, got rid of the toolbar and the dll file, but there is still the moviemaker and xerox folder in my program files foler. those i can delete in safe mode, but they reappear when i reboot

 

Yes, they will reappear, XP wants those folders there. XP installs Movie Maker and the Xerox with the default install. Nothing bad about it.