Yep Anon you have some problems here.. 1 is the hijacking plus some other malware Before you can start to fix it you must do some things..
1) You must actually unzip hijackthis and place it in a folder of its own.. If you do not do this none of the fixes with hijackthis will work correctly

2) Now follow this procedure and we will get you started on its removal
This is a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service.

Obtain list of irregular services:

Please download ServiceFilter.

Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.

Navigate to where you unzipped it and double-click on ServiceFilter.vbs.

If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.

It will open a text file (POST_THIS.TXT) that lists all of the irregular services.

Press Ctrl + A simultaneously to select all of the text.

Copy and paste the whole thing into your next post.

A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

Hope this is right!Thanks!
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Dec 5, 2004 1:40:02 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Running
Process ID: 1892
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{c8ce8279-582f-48a3-bdb5-76718247509d}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: �%AF夶À¨
Display Name: Network Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\crof32.exe /s
State: Running
Process ID: 460
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 91 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 4.859375 seconds.

Yep it's right and now for the next set of steps

1) Post a new hijackthis log (I hope you placed it in a folder of its own as I requested.. Remember this won't work if you don't)

Prepare AboutBuster for use:

Download AboutBuster.

Unzip AboutBuster to a convenient folder such as C:\AboutBuster.

Run AboutBuster.exe. Click OK, Update, Check For Update. Download the updates if they exist.

Click Exit as I do not want you to run the program yet.

Prepare cwsserviceremove.reg for use:

Download cwsserviceremove.zip.

Unzip cwsserviceremove.reg to your desktop but do not run it yet.

Print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Reconfigure Windows XP to show hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Now we're ready for the meat of this.. I just need to see that new hijackthis log before we can start..

Here is the new log. I have it in a folder by itself.
Logfile of HijackThis v1.97.7
Scan saved at 7:33:43 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\crof32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\WINDOWS\syswn32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RICH\My Documents\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {9C207CFF-DF60-AB9F-5237-9572CDA6C7E7} - C:\WINDOWS\system32\d3co32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: C:\WINDOWS\syswn32.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: RunDll32 essprops.cpl,TaskbarIconWnd
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus USB.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3730312D-0896-4BB9-9AA8-1D28D503E12E} (AXDownloaderCtl Class) - http://www.homegrownvideo.com/member/downloads/AXDownloader.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0412bbe1a039e7932c01/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094177771166
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.4940740741
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Tried to download cwsserviceremove.zip , but comes back with invalid attachment,contact webmaster.

Ok now we can continue and fix this mess for you!!
Ok you can get the file you need cwsuninst.txt )rename it as cwsuninst.reg)
Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Note if this doesn't work you may need to follow the intructions here


To get back to normal mode just restart the computer as you normally would. Don't do that yet Stay in safe mode..

Stop and disable the offending service:

Using the Start button click on | Run | type services.msc | OK

Scroll down the list until you find the service called (Network Security Service).

Double-click on it and under the General tab click Stop to stop the service.
Change the Startup Type to Disabled.

Click Apply and then OK and close any open windows.

End the service process:

Press the Ctrl + Alt + Delete keys simultaneously to open the Task Manager.

Under the Processes tab find c:\windows\system32\crof32.exe

Click End Process.

File | Exit Task Manager


Now Be sure that there are no browser windows running and scan again with hijackthis place a check by each of the following entries and click on fix..

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qpwrp.dll/sp.html#96676

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O2 - BHO: (no name) - {9C207CFF-DF60-AB9F-5237-9572CDA6C7E7} - C:\WINDOWS\system32\d3co32.dll

O4 - HKLM\..\Run: C:\WINDOWS\syswn32.exe

O4 - HKLM\..\Run: c:\program files\180solutions\sais.exe

O4 - HKLM\..\Run: "C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKCU\..\Run: C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

Now click on "My Computer and navigate to C:\WINDOWS\system32 and delete the following files in bold
qpwrp.dll
d3co32.dl

Now navigate to c:\Program files and delete the folder Web_Rebates and the files within that folder especially WebRebates0.exe

Now navigate to the sub folder within "program files" called "Common Files and delet the folder tsa and all files within. especially tsm2.exe

Now run the CWSuninst.reg file click yes when it wants to add contents to the registry..

Browse to where you saved AboutBuster and run AboutBuster.exe.

Click OK at the directions prompt.

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.

Click Yes to allow it to shutdown explorer.exe.

It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

When it has finished, click Save Log. Make sure you save it as I need a copy of it.

Now lets clean out your temp files Click on start then run and type cleanmgr and click on OK

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

Restart your computer and now we will restore some files this infection may have deleted..

Restart your computer normally to return to normal mode.

You will likely need control.exe - Visit this page.

Since you are running Windows XP copy it to C:\WINDOWS\system32.

HOSTS - Download the Hoster.

Unzip Hoster to a convenient folder such as C:\Hoster.

Run Hoster.exe, click Restore Original Hosts and then click OK.

Click the X to exit the program

Run the TrendMicro Housecall online virus scan. Let it fix what it finds

Post a new hijackthis log as well as the aboutbuster log..

Let us know of any other problems you had..

When I try to get cwsuninst.txt, it opens to cwsuninst(1).txt notepad. It says regedit4 at beginning.Am I doing something wrong? Probably wont start this project til tomorrow night. I will post my results! Thank you very much, this problem is driving me nuts!

Yep you have to rename that file your self to cwsuninst.reg

SO right click on the file and select rename and then type in the name cwsuninst.reg