Jump to content


Photo

Home Search, Search Extender, Shopping Wizard


  • This topic is locked This topic is locked
17 replies to this topic

#1 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 July 2004 - 06:25 PM

I have tried to get rid of Home search assistant, to no avail, and I can't seem to find a way to get rid of the other two. Here is my Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 4:50:26 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ntme.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\msnqmgr.exe
C:\WINDOWS\appbf32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\xmuleoec.exe
C:\WINDOWS\System32\_10006c.exe
C:\WINDOWS\System32\Ctbjci7.exe
C:\WINDOWS\System32\EmvM8.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Games\Zip Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://suwwg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://suwwg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

and here is my About:Buster log:

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\addah.dat
Removed! : C:\WINDOWS\kuqor.dll
Removed! : C:\WINDOWS\xfjpu.dat
Removed! : C:\WINDOWS\smmic.dll
Removed! : C:\WINDOWS\grdlf.dat
Removed! : C:\WINDOWS\cjzsa.dll
Removed! : C:\WINDOWS\grmwc.dat
Removed! : C:\WINDOWS\cqvim.dll
Removed! : C:\WINDOWS\lmett.dat
Removed! : C:\WINDOWS\System32\bvrcs.dat
Removed! : C:\WINDOWS\System32\ydjlr.dll
Removed! : C:\WINDOWS\System32\jjxaw.dat
Removed! : C:\WINDOWS\System32\wnevs.dat
Removed! : C:\WINDOWS\System32\kuzzj.dat
Removed! : C:\WINDOWS\System32\jbkug.dat
Removed! : C:\WINDOWS\System32\iuxsp.dat
Removed! : C:\WINDOWS\System32\huvha.dat
Removed! : C:\WINDOWS\System32\gtimb.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Any help is greatly appreciated.

#2 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 July 2004 - 10:29 AM

BUMP

Please help. I want to get rid of these before they start causing problems. Any help at all will be greatly appreciated.

Thanks

#3 kdallmer

kdallmer

    Member

  • New Member
  • Pip
  • 3 posts

Posted 16 July 2004 - 10:31 AM

The offending problem is HSA or Home Search Assitant

I found two way to fix this issue..

Microsoft page: http://support.micro...spx?kbid=247501

or a utility at http://hsremove.bravehost.com and download hsremove.exe

run it and it seems to work...

***** New ***

This only fixed part of my issue... there still is something that wants to reload the redirecting software. Will get back

***** Update ****

ALL,

I had to disable spybot and run in safe mode, and this cleaned everything...

The only thing is when your done you have to reset your home and search pages as this utility changes them to a confirmation page that your system is clean...

#4 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 July 2004 - 10:44 AM

I appreciate the help, but neither worked. I have XP, and the article on removing it from Ad/Remove Programs does not work for XP. And I have tried using HSRemove. I ran it in safe mode using the instructions it gave, and the first time I opened IE it worked, but HSA was back the second time I opened it.

#5 SuperG

SuperG

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 August 2004 - 04:27 PM

OK, NEWBIE here, but I've been fighting on my own for awhile now until I found this site today.

Here's what I see as wrong:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://suwwg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://suwwg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\suwwg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =



I would lose every one of those R entries. BUT, you're going to have to find what's causing them or they are going to keep coming back.

O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe


Those should go too.

O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe


I'd be suspicious of that one too....

There's likely more, but those lept out at me. Let me know what you get after 'fixing' those....
"I just dropped in to see what condition my condition was in...."

#6 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 August 2004 - 04:59 PM

I deleted all of those and they came back right after I deleted them. I made sure to close everything, especially Internet Explorer. Maybe I need to post a new log file. It's been a while since I posted my other one and I think I noticed some other things on there.

Logfile of HijackThis v1.97.7
Scan saved at 3:58:27 PM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\msnqmgr.exe
C:\WINDOWS\appbf32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\xmuleoec.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\ntme.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DplY6.exe
C:\WINDOWS\System32\Yzj2W8DO.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Games\Zip Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gtimb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gtimb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gtimb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Here's an updated Log file.

Thanks for taking the time to help me. I really appreciate it.

#7 SuperG

SuperG

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 August 2004 - 10:49 PM

Sorry, I jumped the gun I guess. I misunderstood this as an open forum, and jumped in before I got a message suggesting I do otherwise. If you haven't been fixed up by the time I'm signed off on, I'll do my best to help.

Sorry about that.
"I just dropped in to see what condition my condition was in...."

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 09:27 AM

To Remove your peper infection please follow the listed procedure:-------------------------------------------
After the peper infection has been removed:
  • Please download About:Buster from any of the following locations:
  • Boot into safe mode. How do I boot into "Safe" mode?
  • Unzip the downloaded about:buster program to your desktop.
  • Double click it and hit "Ok".
  • Click "Start".
  • Select "Ok" to start the scan.
  • The scan should take a few seconds.
  • Once it is done save the report.
  • Reboot and sign in as you normally do and repeat the procedure for running about:buster.
  • Post the results of the report and a fresh HijackThis log for review.


#9 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 August 2004 - 10:38 AM

Okay. Thanks so much. Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:35:42 AM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ntme.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\msnqmgr.exe
C:\WINDOWS\appbf32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\xmuleoec.exe
C:\Games\Zip Stuff\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe
O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

and here is the About:Buster log:

-- Scan 1 --------
About:Buster Version 1.30
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Thanks again for all your help.

#10 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 10:55 AM

  • You still have a peper infection: To Remove your peper infection please follow the listed procedure:
    • Download and run this Peper-uninstaller, making sure you're online while running it!
    • Reboot into safe mode - How do I boot into "Safe" mode?
    • Download the Newuninst uninstaller and run it.
    • Run Ad-Aware with the latest update.
      • Download the latest version of Ad-Aware from here.
      • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
      • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
      • "Include additional Ad-aware settings in logfile"
      • "Unload recognized processes during scanning."
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "Let Windows remove files in use after reboot."
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
    • Select "Activate in-Depth scan".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
[*]HijackThis ...
  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)
    • Click on "Config" in the bottom right corner of the HijackThis window.
    • Make sure that the "Main" tab is selected at the top.
    • Place a checkmark in the box labelled "Make backups before fixing items".
    • Click on "Back" in the bottom right corner.
    • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
    • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll
    O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
    O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
    O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
    O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe
    O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe
[/list][*]Please reboot into safe mode - How do I boot into "Safe" mode?
[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
  • DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • DIRECTORIES
    • Nothing to Delete
  • FILES
    • C:\WINDOWS\sysdk32.dll
    • C:\WINDOWS\System32\Qcn03Z2H.exe
    • C:\WINDOWS\appbf32.exe
    • C:\WINDOWS\System32\xmuleoec.exe
    • C:\WINDOWS\ntme.exe
[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.
[/list]

#11 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 August 2004 - 12:08 PM

Here's my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 11:04:18 AM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Games\Zip Stuff\aaw6181.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\appbf32.exe
C:\WINDOWS\ntme.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hrydd.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hrydd.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hrydd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hrydd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hrydd.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hrydd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {3484845E-4CE4-1539-2AA2-4AD62499E085} - C:\WINDOWS\system32\sdknq.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [System Toolkit] C:\Games\Zip Stuff\aaw6181.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe
O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe
O4 - HKLM\..\RunOnce: [winnc.exe] C:\WINDOWS\winnc.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

The R1's and R0's are back. There has to be something still hiding somewhere.

#12 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 12:38 PM

  • Please download About:Buster from any of the following locations:
  • Boot into safe mode. How do I boot into "Safe" mode?
  • Unzip the downloaded about:buster program to your desktop.
  • Double click it and hit "Ok".
  • Click "Start".
  • Select "Ok" to start the scan.
  • The scan should take a few seconds.
  • Once it is done save the report.
  • Reboot and sign in as you normally do and repeat the procedure for running about:buster.
  • Post the results of the report and a fresh HijackThis log for review.
Run through this twice in safe mode and twice in normal mode.

#13 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 August 2004 - 01:13 PM

Okay. I did that and here are my new logs.

Logfile of HijackThis v1.97.7
Scan saved at 12:12:19 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\crfh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Games\Zip Stuff\aaw6181.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\appbf32.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {19915FBD-83F1-27DA-3219-B044C7088F73} - C:\WINDOWS\crkl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [System Toolkit] C:\Games\Zip Stuff\aaw6181.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

-- Scan 1 --------
About:Buster Version 1.30
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 01:50 PM

Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "crfh.exe" and "appbf32.exe". If you find the file, click it, and then click End Process => Exit the Task Manager.

Run HijackThis and delete:
O2 - BHO: (no name) - {19915FBD-83F1-27DA-3219-B044C7088F73} - C:\WINDOWS\crkl.dll
O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe


Delete the following files, if they are locked, boot into safe mode to delete them.
C:\WINDOWS\crkl.dll
C:\WINDOWS\crfh.exe
C:\WINDOWS\appbf32.exe

#15 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 August 2004 - 05:53 PM

Okay. My homepage is back to normal. I think that did it. Thanks so much for all your help. There's no way I could have done it without you.

#16 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 03 August 2004 - 08:48 PM

Do the following and then post one more HijackThis log to verify that all is clean...
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Run Ad-Aware with the latest update.
    • Download the latest version of Ad-Aware from here.
    • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
    • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."
      • Under "Cleaning Engine", select the following:
        • "Automatically try to unregister objects prior to deletion."
        • "Let Windows remove files in use after reboot."
      • Click on "Proceed" to save these Preferences.
      • Click on the "Scan Now" button on the left.
      • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
      • Select "Activate in-Depth scan".
    • Close all programs except ad-aware.
    • Click on "Next" in the bottom right corner to start the scan.
    • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
    • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
  • Download the latest version of Spybot from either:
    • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
    • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
    • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
    • Click on "Search for Updates".
    • If any updates are found, place a check mark next to each and click on "Download Updates".
    • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
    • Click on "Search & Destroy" => "Check for Problems".
    • If any problems are found, be sure to click on "Fix Selected Problems".


#17 Zeldanemesis

Zeldanemesis

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 August 2004 - 01:42 AM

Logfile of HijackThis v1.97.7
Scan saved at 12:39:24 AM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Games\Zip Stuff\aaw6181.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [System Toolkit] C:\Games\Zip Stuff\aaw6181.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Here is hopefully my final HJT log. Thanks once again. I'm glad to have my home page back to normal. Also, the other user on this computer has this same problem. Do I need to go through this whole process to fix thier home page or do you know what specific steps I need to do to get it back to normal?

#18 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 05 August 2004 - 09:43 AM

Well, I am happy to say - The log looks like it should - CLEAN :)

It has been a pleasure to help you :)

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button