Malware I cant shift

  CaleI 09:45 21 Jun 2004

Hi, I've been infected by a browser Hijacker which I cant remove. I've tried the usual progs, Hijackthis and adware, but the trojan keeps overwriting my home page, search page etc etc. It's not even on reboot, it reactivates a dew munutes after I've removed it with HJT. The ones that look like kcxhw.dll/sp.html#23851 are the ones I'm talking about.

Does anyone know how to remove this?

Here's the HJT log report

Running processes:
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\SSUK\My Documents\My Downloads\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kcxhw.dll/sp.html#23851
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kcxhw.dll/index.html#23851
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kcxhw.dll/index.html#23851
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kcxhw.dll/sp.html#23851
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kcxhw.dll/index.html#23851
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kcxhw.dll/sp.html#23851
O2 - BHO: (no name) - {B756513C-B2A5-1805-60FF-E40570DBC936} - C:\WINDOWS\crqa.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addel.exe] C:\WINDOWS\system32\addel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [KeyWallet] C:\PROGRA~1\KEYWAL~1\KWallet.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: AOL 9.0.lnk = C:\Program Files\AOL 9.0\aol.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Unknown file in Winsock LSP: c:\windows\safetp\stplayer.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here

  Lozzy 09:52 21 Jun 2004

Try Reg Healer it worked for me. click here

  Gongoozler 10:02 21 Jun 2004

Search page hijackers can often be removed by CoolWebShredder click here

  CaleI 10:03 21 Jun 2004

Thanks, but I'd rather explore the 'free' options first. I'm not going to for out £20 on a product that 'may' work.

  CaleI 10:08 21 Jun 2004

Gonogoozler I tried that.. no joy

  Lozzy 10:14 21 Jun 2004

Unfotunately some times in life you get what you pay for. That was the only thing that cured my issue and it was the same as yours.

I could not find a freeware to sort.

  CaleI 10:20 21 Jun 2004

Well if I pay for a program, then they have won. It's the principal. I'll explore every option before I pay. It's funny, most of the ads that pop up with this thing are for spyware removal. Kidda ironic. wouldnt surprise me if it was the same comanies who set up these scams!

  CaleI 10:20 21 Jun 2004

Well if I pay for a program, then they have won. It's the principal. I'll explore every option before I pay. It's funny, most of the ads that pop up with this thing are for spyware removal. Kidda ironic. wouldnt surprise me if it was the same comanies who set up these scams!

  Gongoozler 10:43 21 Jun 2004

Hi CaleI. I think your best bet now is to post your HJT log on a specialist forum such as click here

  Gongoozler 10:44 21 Jun 2004

---- or Computercops click here

  Newuser4165 11:25 21 Jun 2004

Have you switched off system restore before cleaning it?
From your desciption it's in the restore folder.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

The Evil Within 2 review-in-progress

Photoshop CC 2018 released with new Curvature Pen and better brush tools

Camera tips to take better iPhone photos

Les meilleures applications de covoiturage 2017