ID exe and hijacker lines

nvsvc32.exe is a process that belongs to the NVIDIA graphics card drivers. This process should not be removed to ensure that your graphics card drivers is working properly.

Here are your R0 & R1 lines R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\neakt.dll/sp.html#96676

Thus the file you need to delete the contents of and resave is: C:\WINDOWS\system32\neakt.dll

Your BHO line is:
O2 - BHO: (no name) - {B2E5AAE7-C7F0-C2A6-61EC-3AB838955A17} - C:\WINDOWS\system32
\crdp.dll

Your O4 process (only 1):
O4 - HKLM\..\Run: [sysiw32.exe] C:\WINDOWS\system32\sysiw32.exe

Other processes (only 1):
C:\WINDOWS\winth32.exe

Did you find either NSS or WNS running? If so, what was the path to executable? Was it C:\WINDOWS\winth32.exe ?

Do you have enough now to continue? Please note you may need to check your log again before proceeding since this problem can mutate with reboots and from attempted partial fixes.

 

If you got an OTB popup, it sounds like you still have the problem to me! Note: you should not be surfing while doing the repairs. You must be disconnected and remain disconnected until completes.

After finishing the procedure, post the logs as requested but do not shutdown or reboot your PC so we can avoid any mutation. Just what for me to come back with the next steps (unless you are sure you can figure out how to run thru the procedure again correctly on your own. That is...assuming there is still a problem.)

 

Right now your log looks good. The problem appears to be solved. But I have a few questions.

Did you actually do

1) step 13a (Reset Web Settings)
2) step 13k run About:Buster first time? Where's the log attachment?
3) step 16 run About:Buster second time? Where's the log attachment?


Part of the reason I ask is that no R0 & R1 lines show at all in your log.
Step 13 should have set defaults except home page (which was set to majorgeeks).
But both steps 13k and 16 should have reset the home page to www.google.com which I would expect to show in an R0 line.
Also I wanted to see the About:Buster logs as requested in the procedure.

Note your HJT log (and the About:Buster logs) should be posted as text attachments. Not in line text. Noticed how I fixed it for you.


Question & other comment:
1) Can I safely assume you know what these are:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waterway.waterway.net
O17 - HKLM\Software\..\Telephony: DomainName = waterway.waterway.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waterway.waterway.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waterway.waterway.net

2) You really need to get your OS & IE updated. At least get up to SP1 on both of them. And get the other critical updates too (other than WinXP SP2). When you are sure everything is running okay (no virus/other malware problems) your should look into SP2. Why haven't you updated? Slow internet connection?

 

Make sure you save the About:Buster logs to differnent file names each time (like ab1.txt then ab2.txt).

The following is the file you are going to edit with notepad in step 5:
C:\WINDOWS\system32\lcecf.dll


The following is your O2 BHO for step 7
O2 - BHO: (no name) - {50B7E5C6-CBCB-96EC-1B80-B6EEA0F4D5FC} - C:\WINDOWS\system32\d3od32.dll

The following are your O4 lines for step 8
O4 - HKLM\..\Run: [mfcyr.exe] C:\WINDOWS\mfcyr.exe
O4 - HKLM\..\RunOnce: [vedmy] C:\WINDOWS\twain_32.dll:vedmy

For step 10 you need to delete:
- C:\WINDOWS\system32\d3od32.dll
- C:\WINDOWS\mfcyr.exe
- C:\WINDOWS\twain_32.dll:vedmy <---- I'm guessing that this is going to be trouble finding or deleting. Let me know (but do not conect to the internet using this PC during this repair process. Wait until you finish to tell me.
- and any files you find in step 6 for NSS or WNS
The following are your lines for Step 12:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lcecf.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lcecf.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

In step 14 where I have you run Ad-aware SE, this time do not select full system scan. Do the below:
Run Ad-aware SE and click Scan Now, the choose the Scan volume for ADS. The click the underlined word 'Select'. Choose you harddisk drive (C) and then click Proceed. The click Next. If it finds anything tell me what it finds.

 

You do not have the proper version of Ad-aware SE. Please update to 1.05.

Did Ad-Aware fix all of the ADS items it found?

 

You're welcome. So I assume the hijacker problems are all resolved?

 

You are most welcome again! Happy surfing!