• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Zeldanemesis

Home Search, Search Extender, Shopping Wizard

18 posts in this topic

I have tried to get rid of Home search assistant, to no avail, and I can't seem to find a way to get rid of the other two. Here is my Hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:50:26 PM, on 7/15/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\ntme.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\msnqmgr.exe

C:\WINDOWS\appbf32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\xmuleoec.exe

C:\WINDOWS\System32\_10006c.exe

C:\WINDOWS\System32\Ctbjci7.exe

C:\WINDOWS\System32\EmvM8.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Games\Zip Stuff\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://suwwg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://suwwg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe

O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

and here is my About:Buster log:

 

-- Scan 1 --------

About:Buster Version 1.30

Removed! : C:\WINDOWS\addah.dat

Removed! : C:\WINDOWS\kuqor.dll

Removed! : C:\WINDOWS\xfjpu.dat

Removed! : C:\WINDOWS\smmic.dll

Removed! : C:\WINDOWS\grdlf.dat

Removed! : C:\WINDOWS\cjzsa.dll

Removed! : C:\WINDOWS\grmwc.dat

Removed! : C:\WINDOWS\cqvim.dll

Removed! : C:\WINDOWS\lmett.dat

Removed! : C:\WINDOWS\System32\bvrcs.dat

Removed! : C:\WINDOWS\System32\ydjlr.dll

Removed! : C:\WINDOWS\System32\jjxaw.dat

Removed! : C:\WINDOWS\System32\wnevs.dat

Removed! : C:\WINDOWS\System32\kuzzj.dat

Removed! : C:\WINDOWS\System32\jbkug.dat

Removed! : C:\WINDOWS\System32\iuxsp.dat

Removed! : C:\WINDOWS\System32\huvha.dat

Removed! : C:\WINDOWS\System32\gtimb.dll

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Any help is greatly appreciated.

Share this post


Link to post
Share on other sites

BUMP

 

Please help. I want to get rid of these before they start causing problems. Any help at all will be greatly appreciated.

 

Thanks

Share this post


Link to post
Share on other sites

The offending problem is HSA or Home Search Assitant

 

I found two way to fix this issue..

 

Microsoft page: http://support.microsoft.com/default.aspx?kbid=247501

 

or a utility at http://hsremove.bravehost.com and download hsremove.exe

 

run it and it seems to work...

 

***** New ***

 

This only fixed part of my issue... there still is something that wants to reload the redirecting software. Will get back

 

***** Update ****

 

ALL,

 

I had to disable spybot and run in safe mode, and this cleaned everything...

 

The only thing is when your done you have to reset your home and search pages as this utility changes them to a confirmation page that your system is clean...

Share this post


Link to post
Share on other sites

I appreciate the help, but neither worked. I have XP, and the article on removing it from Ad/Remove Programs does not work for XP. And I have tried using HSRemove. I ran it in safe mode using the instructions it gave, and the first time I opened IE it worked, but HSA was back the second time I opened it.

Share this post


Link to post
Share on other sites

OK, NEWBIE here, but I've been fighting on my own for awhile now until I found this site today.

 

Here's what I see as wrong:

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://suwwg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://suwwg.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\suwwg.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

 

 

I would lose every one of those R entries. BUT, you're going to have to find what's causing them or they are going to keep coming back.

 

O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

 

Those should go too.

 

O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe

 

I'd be suspicious of that one too....

 

There's likely more, but those lept out at me. Let me know what you get after 'fixing' those....

Share this post


Link to post
Share on other sites

I deleted all of those and they came back right after I deleted them. I made sure to close everything, especially Internet Explorer. Maybe I need to post a new log file. It's been a while since I posted my other one and I think I noticed some other things on there.

 

Logfile of HijackThis v1.97.7

Scan saved at 3:58:27 PM, on 8/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\msnqmgr.exe

C:\WINDOWS\appbf32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\xmuleoec.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\ntme.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\DplY6.exe

C:\WINDOWS\System32\Yzj2W8DO.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Games\Zip Stuff\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gtimb.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gtimb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gtimb.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gtimb.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe

O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Here's an updated Log file.

 

Thanks for taking the time to help me. I really appreciate it.

Share this post


Link to post
Share on other sites

Sorry, I jumped the gun I guess. I misunderstood this as an open forum, and jumped in before I got a message suggesting I do otherwise. If you haven't been fixed up by the time I'm signed off on, I'll do my best to help.

 

Sorry about that.

Share this post


Link to post
Share on other sites

To Remove your peper infection please follow the listed procedure:

  1. Download and run this Peper-uninstaller, making sure you're online while running it!
  2. Reboot into safe mode - How do I boot into "Safe" mode?
  3. Download the Newuninst uninstaller and run it.
  4. How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program while still in safe mode.
  5. Reboot and sign in as you normally would.

-------------------------------------------

After the peper infection has been removed:

  1. Please download About:Buster from any of the following locations:

[*]Boot into safe mode. How do I boot into "Safe" mode?

[*]Unzip the downloaded about:buster program to your desktop.

[*]Double click it and hit "Ok".

[*]Click "Start".

[*]Select "Ok" to start the scan.

[*]The scan should take a few seconds.

[*]Once it is done save the report.

[*]Reboot and sign in as you normally do and repeat the procedure for running about:buster.

[*]Post the results of the report and a fresh HijackThis log for review.

Share this post


Link to post
Share on other sites

Okay. Thanks so much. Here is my HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:35:42 AM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ntme.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\msnqmgr.exe

C:\WINDOWS\appbf32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\AIM\aim.exe

C:\WINDOWS\System32\xmuleoec.exe

C:\Games\Zip Stuff\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe

O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe

O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

and here is the About:Buster log:

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Thanks again for all your help.

Share this post


Link to post
Share on other sites

  1. You still have a peper infection: To Remove your peper infection please follow the listed procedure:
    • Download and run this Peper-uninstaller, making sure you're online while running it!
    • Reboot into safe mode - How do I boot into "Safe" mode?
    • Download the Newuninst uninstaller and run it.
    • Run Ad-Aware with the latest update.
      • Download the latest version of Ad-Aware from here.
      • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
      • Reconfigure Ad-Aware for Full Scan as per the following instructions:
        • Launch the program, and click on the Gear at the top of the start screen.
        • Click the "Scanning" button (On the left side).
        • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
        • Click "Click here to select Drives + folders" and select your installed hard drives.
        • Under Memory & Registry, select all options.
        • Click the "Advanced" button (On the left hand side).
        • Under "Log-file detail", select all options.
        • Click the "Tweak" button (Again, on the left hand side).
        • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
          • "Include additional Ad-aware settings in logfile"
          • "Unload recognized processes during scanning."

[*]Under "Cleaning Engine", select the following:

  • "Automatically try to unregister objects prior to deletion."
  • "Let Windows remove files in use after reboot."

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Select "Activate in-Depth scan".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

[*]HijackThis ...

  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:

    [*]Install/Unzip it into C:\HJT.

    [*]Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.

    [*]Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)

    • Click on "Config" in the bottom right corner of the HijackThis window.
    • Make sure that the "Main" tab is selected at the top.
    • Place a checkmark in the box labelled "Make backups before fixing items".
    • Click on "Back" in the bottom right corner.
    • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
    • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":

      • O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\sysdk32.dll
        O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
        O4 - HKLM\..\Run: [2QN4WB42@LT8S@] C:\WINDOWS\System32\Qcn03Z2H.exe
        O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe
        O4 - HKCU\..\Run: [Dmxy] C:\WINDOWS\System32\xmuleoec.exe
        O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe

[*]Please reboot into safe mode - How do I boot into "Safe" mode?

[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

  1. DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]DIRECTORIES

  • Nothing to Delete

[*]FILES

  • C:\WINDOWS\sysdk32.dll
  • C:\WINDOWS\System32\Qcn03Z2H.exe
  • C:\WINDOWS\appbf32.exe
  • C:\WINDOWS\System32\xmuleoec.exe
  • C:\WINDOWS\ntme.exe

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

Here's my HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:04:18 AM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Games\Zip Stuff\aaw6181.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\AIM\aim.exe

C:\WINDOWS\appbf32.exe

C:\WINDOWS\ntme.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hrydd.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hrydd.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hrydd.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hrydd.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hrydd.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hrydd.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {3484845E-4CE4-1539-2AA2-4AD62499E085} - C:\WINDOWS\system32\sdknq.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [system Toolkit] C:\Games\Zip Stuff\aaw6181.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [ntme.exe] C:\WINDOWS\ntme.exe

O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe

O4 - HKLM\..\RunOnce: [winnc.exe] C:\WINDOWS\winnc.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

The R1's and R0's are back. There has to be something still hiding somewhere.

Share this post


Link to post
Share on other sites

  1. Please download About:Buster from any of the following locations:

[*]Boot into safe mode. How do I boot into "Safe" mode?

[*]Unzip the downloaded about:buster program to your desktop.

[*]Double click it and hit "Ok".

[*]Click "Start".

[*]Select "Ok" to start the scan.

[*]The scan should take a few seconds.

[*]Once it is done save the report.

[*]Reboot and sign in as you normally do and repeat the procedure for running about:buster.

[*]Post the results of the report and a fresh HijackThis log for review.

Run through this twice in safe mode and twice in normal mode.

Share this post


Link to post
Share on other sites

Okay. I did that and here are my new logs.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:12:19 PM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\crfh.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Games\Zip Stuff\aaw6181.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\appbf32.exe

C:\HJT\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {19915FBD-83F1-27DA-3219-B044C7088F73} - C:\WINDOWS\crkl.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [system Toolkit] C:\Games\Zip Stuff\aaw6181.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

-- Scan 1 --------

About:Buster Version 1.30

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "crfh.exe" and "appbf32.exe". If you find the file, click it, and then click End Process => Exit the Task Manager.

 

Run HijackThis and delete:

O2 - BHO: (no name) - {19915FBD-83F1-27DA-3219-B044C7088F73} - C:\WINDOWS\crkl.dll

O4 - HKLM\..\Run: [appbf32.exe] C:\WINDOWS\appbf32.exe

O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe

O4 - HKLM\..\RunOnce: [crfh.exe] C:\WINDOWS\crfh.exe

 

 

Delete the following files, if they are locked, boot into safe mode to delete them.

C:\WINDOWS\crkl.dll

C:\WINDOWS\crfh.exe

C:\WINDOWS\appbf32.exe

Share this post


Link to post
Share on other sites

Okay. My homepage is back to normal. I think that did it. Thanks so much for all your help. There's no way I could have done it without you.

Share this post


Link to post
Share on other sites

Do the following and then post one more HijackThis log to verify that all is clean...

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  1. Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  2. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  3. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  4. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  5. Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  6. Run Ad-Aware with the latest update.
    • Download the latest version of Ad-Aware from here.
    • After installing Ad-aware, and before running the program, Please be sure to update the reference file as per these instructions.
    • Reconfigure Ad-Aware for Full Scan as per the following instructions:
      • Launch the program, and click on the Gear at the top of the start screen.
      • Click the "Scanning" button (On the left side).
      • Under Drives & Folders, select "Scan within Archives" (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • Click "Click here to select Drives + folders" and select your installed hard drives.
      • Under Memory & Registry, select all options.
      • Click the "Advanced" button (On the left hand side).
      • Under "Log-file detail", select all options.
      • Click the "Tweak" button (Again, on the left hand side).
      • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
        • "Include additional Ad-aware settings in logfile"
        • "Unload recognized processes during scanning."

[*]Under "Cleaning Engine", select the following:

  • "Automatically try to unregister objects prior to deletion."
  • "Let Windows remove files in use after reboot."

[*]Click on "Proceed" to save these Preferences.

[*]Click on the "Scan Now" button on the left.

[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

[*]Select "Activate in-Depth scan".

[*]Close all programs except ad-aware.

[*]Click on "Next" in the bottom right corner to start the scan.

[*]Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

[*]After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

[*]Download the latest version of Spybot from either:

  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems".

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 12:39:24 AM, on 8/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Games\Zip Stuff\aaw6181.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [system Toolkit] C:\Games\Zip Stuff\aaw6181.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Here is hopefully my final HJT log. Thanks once again. I'm glad to have my home page back to normal. Also, the other user on this computer has this same problem. Do I need to go through this whole process to fix thier home page or do you know what specific steps I need to do to get it back to normal?

Share this post


Link to post
Share on other sites

Well, I am happy to say - The log looks like it should - CLEAN :)

 

It has been a pleasure to help you :)

 

The problems here look to be resolved so I will close the thread. If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you would like to make a contribution to help support SpywareInfo, please check this link for more information.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0