• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
monty

How do i remove HSA(home search assistent?)

16 posts in this topic

i have recently found Home search assistent, shopping wizard and search extender in my add/remove list and i'm unable to remove it. my hijack this log is:

 

Logfile of HijackThis v1.98.0

Scan saved at 18:29:14, on 13/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\netil32.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\YxlE.exe

C:\WINDOWS\System32\Nvr0A.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmyxn.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmyxn.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zmyxn.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zmyxn.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmyxn.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zmyxn.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [33#EWGG2AXLQC#] C:\WINDOWS\System32\BnyLs4.exe

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

 

please could someone help remove this. cheers.

Share this post


Link to post
Share on other sites

First let´s remove the Peper trojan so download uninst.exe here and run it while you are online, reboot.

then download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Note: You may need to run About Buster a few times in Normal mode or reboot into safe mode and try it. Directions.

Edited by mmxx66

Share this post


Link to post
Share on other sites

i downloaded that memory watcher but it doesnt seem to do anything, it just opens a square in the taskbar which i cant do anything with, is this right? i seem to get rid of the home search assistent, but then it comes back after about 20 seconds even in safe mode. why is this? my new hijack this log is:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 21:42:05, on 14/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\netil32.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\Mai4Dyx.exe

C:\WINDOWS\System32\Mai4Dyx.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [33#EWGG2AXLQC#] C:\WINDOWS\System32\LsxI52.exe

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

 

Please help soon because i'm goin on holiday on friday, cheers.

Share this post


Link to post
Share on other sites

-- Scan 1 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-- Scan 2 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Pages Reset... Done!

 

-- Scan 3 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

this is my about buster log, as you can see it seems to get rid of the home search assistent but then it comes back. this was done in safe mode.

Share this post


Link to post
Share on other sites

Download PeperFix: http://downloads.subratam.org/PeperFix.exe

Save it to your Desktop.

Click on the PeperFix.exe to launch it.

 

Click the Find and Fix button.

 

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.

Ensure that you are online before starting the fix. Make sure to run the fix twice.

Edited by mmxx66

Share this post


Link to post
Share on other sites

Post a new hijack this log, please.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 16:49:42, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\netil32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zvjye.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 16:49:42, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\netil32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zvjye.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zvjye.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvjye.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

Share this post


Link to post
Share on other sites

You´re clean of the Peper infection, now let´s run About Buster again in safe mode.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 17:20:29, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\crjv32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\netil32.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

Share this post


Link to post
Share on other sites

Close all windows and browsers and have hijack this to fix these items:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

 

then reboot in safe mode (Tap F8 continuously when the computer is first booting. )

 

Make sure to have your system set to show hidden files and folders.. Check Here http://www.xtra.co.nz/help/0,,4155-1916458,00.html

And delete these files:

C:\WINDOWS\system32\javaif32.dll

C:\WINDOWS\netil32.exe

C:\WINDOWS\crjv32.exe

 

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.

* C:\Windows\Temp\

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet

content including cookies. This is recommended and strongly suggested.

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

 

Then disable your system restore

 

1 Right-click My Computer, and then click Properties.

2 Click the System Restore tab.

3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

4 Click Apply

5 this will delete all existing restore points. Click Yes to do this.

6 Click OK.

 

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 20:18:19, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\netil32.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 20:23:16, on 15/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\crjv32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\netil32.exe

C:\Program Files\MSN\MSNCoreFiles\msn6.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\nick\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ycenp.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

O17 - HKLM\System\CS1\Services\Tcpip\..\{176FFE7E-C545-4241-B210-378D43210992}: NameServer = 80.225.252.186 80.225.252.178

Share this post


Link to post
Share on other sites

1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R331 08.07.2004 or higher listed.

 

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

 

3. Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

 

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

 

5. Reboot to Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

6. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ycenp.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ycenp.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ycenp.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {88AE5BAB-3DC7-9717-34AB-BAC95A1C967A} - C:\WINDOWS\system32\javaif32.dll

O4 - HKLM\..\Run: [netil32.exe] C:\WINDOWS\netil32.exe

 

7. delete the following files if present.

C:\WINDOWS\crjv32.exe

C:\WINDOWS\netil32.exe

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

 

9. Scan with Adaware and let it remove any bad files found.

 

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

 

12. Finally, do an online scan at the following site. Let it remove any infected files found.

Trend Micro (PC-cillin) - Free on-line Scan

http://housecall.antivirus.com

 

Post a fresh HijackThis log and the AboutBuster report back here please.

Share this post


Link to post
Share on other sites

You need updating windows otherwise you´ll be reinfected soon. You do need the security patches.

http://www.microsoft.com/windows/ie/default.asp

Edited by mmxx66

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0