XP SP2/ hijack issue

I rtun XP SP2 and recently (yesterday) was hit with the hijack about:blank even though I run tcmonitor and active and spybot S&D real time. Trust me I hit all the psyware tools to remove it, removed the about:blank registry entries, booted safe found this rogue proc addhj.exe and deleted but I obviously havent found the hidden.dll that continues to respawn all this Im very frustrated on top of this the issue is causing me the inability to use explorer. I cant do simple searches, open folders or anything each time I attempt Watson dumps. Your help is appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 11:28:35 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\system32\addhj32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\kxmixer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\apinu32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\sblair\Desktop\putty.exe
F:\Program Files\Trillian\trillian.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\sblair\LOCALS~1\Temp\Rar$EX00.391\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\iqnar.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://espn.com "); (C:\Documents and Settings\sblair\Application Data\Mozilla\Profiles\default\rrg871s8.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://F%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\sblair\Application Data\Mozilla\Profiles\default\rrg871s8.slt\prefs.js)
O2 - BHO: (no name) - {5E402D9E-4623-93B0-B226-EDA3D4E1E962} - C:\WINDOWS\system32\addet32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [apinu32.exe] C:\WINDOWS\apinu32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyiKiller] C:\PROGRA~1\SPYIKI~1\SpyiKiller.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} -
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098490677546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{220E43A7-51DD-4247-B960-32007DD374FA}: NameServer = 206.165.6.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D91F892-8BD5-49E5-923B-068CBB7E9272}: NameServer = 206.165.6.11,206.165.6.12
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Linksys Wireless Guard Network Manager Service - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\addhj32.exe

----------------------------------------------------------

Note I remove and fix all the entries above that are obvious and its an exercise of futility.

let me know what else you may need to provide input thanks..

 

ok poisting again.. I did 3 things 1) I rolled back the registry to a january backup 2) scrubbed the registry entries with hijack this -> especially of Explorer and the addhj.exe and basically went to barebones and I was able to achieve stability with Explorer. This means I was able to utilize the windows explorer without crashing. I got rid of the about:blank and then reran adaware/adware/avast/S&D etc etc.. So far so good.. This sucked

 

Hello Sblair,

Look here!


http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078786

Grtz >*< TOM >*<

 

Hi sblair

Yes uninstall p2p networking, this is the canned i normaly use.

Uninstall SpyiKiller and any others you might have that are on the rouge list here http://www.spywarewarrior.com/rogue_anti-spyware.htm
======================================
For now turn off tea timer.
Open SpyBot, on the toolbar menu select mode and switch to advanced mode,>tools > resident uncheck tea timer, close spybot, if the tea timer icon is still in the tray (clock area) right-click exit resident, dont turn it on until we are completly finished.

Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder.
http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong
Make and post a new log