Jump to content


Photo

How do i remove HSA(home search assistent?)


  • Please log in to reply
15 replies to this topic

#1 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 July 2004 - 12:40 PM

i have recently found Home search assistent, shopping wizard and search extender in my add/remove list and i'm unable to remove it. my hijack this log is:

Logfile of HijackThis v1.98.0
Scan saved at 18:29:14, on 13/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\netil32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\YxlE.exe
C:\WINDOWS\System32\Nvr0A.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmyxn.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmyxn.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zmyxn.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zmyxn.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmyxn.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmyxn.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [33#EWGG2AXLQC#] C:\WINDOWS\System32\BnyLs4.exe
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

please could someone help remove this. cheers.

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 13 July 2004 - 02:19 PM

First let´s remove the Peper trojan so download uninst.exe here and run it while you are online, reboot.
then download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.
Note: You may need to run About Buster a few times in Normal mode or reboot into safe mode and try it. Directions.

Edited by mmxx66, 13 July 2004 - 02:21 PM.


#3 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 July 2004 - 03:46 PM

i downloaded that memory watcher but it doesnt seem to do anything, it just opens a square in the taskbar which i cant do anything with, is this right? i seem to get rid of the home search assistent, but then it comes back after about 20 seconds even in safe mode. why is this? my new hijack this log is:


Logfile of HijackThis v1.98.0
Scan saved at 21:42:05, on 14/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\netil32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\Mai4Dyx.exe
C:\WINDOWS\System32\Mai4Dyx.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [33#EWGG2AXLQC#] C:\WINDOWS\System32\LsxI52.exe
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

Please help soon because i'm goin on holiday on friday, cheers.

#4 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 July 2004 - 03:48 PM

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

this is my about buster log, as you can see it seems to get rid of the home search assistent but then it comes back. this was done in safe mode.

#5 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 14 July 2004 - 03:58 PM

Download PeperFix: http://downloads.sub...rg/PeperFix.exe
Save it to your Desktop.
Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

Edited by mmxx66, 14 July 2004 - 04:08 PM.


#6 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 10:43 AM

I have run PeperFix and it has deleted all the bad files. what shall i do next? cheers

#7 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 10:46 AM

Post a new hijack this log, please.

#8 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 10:49 AM

Logfile of HijackThis v1.98.0
Scan saved at 16:49:42, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netil32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zvjye.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

#9 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 11:10 AM

Logfile of HijackThis v1.98.0
Scan saved at 16:49:42, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\netil32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zvjye.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

#10 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 11:14 AM

You´re clean of the Peper infection, now let´s run About Buster again in safe mode.

#11 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 12:19 PM

Logfile of HijackThis v1.98.0
Scan saved at 17:20:29, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\crjv32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\netil32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

#12 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 12:32 PM

Close all windows and browsers and have hijack this to fix these items:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe


then reboot in safe mode (Tap F8 continuously when the computer is first booting. )

Make sure to have your system set to show hidden files and folders.. Check Here http://www.xtra.co.n...1916458,00.html
And delete these files:
C:\WINDOWS\system32\javaif32.dll
C:\WINDOWS\netil32.exe
C:\WINDOWS\crjv32.exe

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#13 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 02:21 PM

Logfile of HijackThis v1.98.0
Scan saved at 20:18:19, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\netil32.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

#14 monty

monty

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 02:22 PM

Logfile of HijackThis v1.98.0
Scan saved at 20:23:16, on 15/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\crjv32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\netil32.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ycenp.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178
O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

#15 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 03:36 PM

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R331 08.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

6. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ycenp.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll
O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe


7. delete the following files if present.
C:\WINDOWS\crjv32.exe
C:\WINDOWS\netil32.exe
8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:


Temporary Files
Temporary Internet Files
Recycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Post a fresh HijackThis log and the AboutBuster report back here please.

#16 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 15 July 2004 - 03:49 PM

You need updating windows otherwise you´ll be reinfected soon. You do need the security patches.
http://www.microsoft.../ie/default.asp

Edited by mmxx66, 15 July 2004 - 07:18 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button