Jump to content


Photo

Home Search/ Only the best hijacker


  • Please log in to reply
4 replies to this topic

#1 jimmystew

jimmystew

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 July 2004 - 10:16 PM

I definitely have been hijacked by the Home Search/ Only the Best Hijacker. I have followed instructions for removing it as posted in many different forums. I still haven't been able to get rid of it. Any help you can give would be greatly appreciated.

Here is my log file from Hijack This:

Logfile of HijackThis v1.98.0
Scan saved at 9:14:27 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\nettv32.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\ch_utility.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\addut.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Nate\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abwko.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://abwko.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://abwko.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\abwko.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abwko.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://abwko.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5FA23166-401F-13C1-370A-22B100AB77E7} - C:\WINDOWS\system32\winut32.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [Chrontel TV] C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [addut.exe] C:\WINDOWS\addut.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) - http://download.jaun...ublic/jaunt.cab

#2 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 29 July 2004 - 10:50 PM

Hey

Download about:buster here,
http://www.downloads...AboutBuster.zip
unzip it to your desktop.

You have a CWS hijacker, please boot into safe mode by tapping F8 while it's booting.

Open about:buster, Click Update to just see if there's any updates.
Run about:buster, save the log it generates in both of the scans, into a text file, it'll automatically scan a second time.

When both scans are run, boot back into normal mode, post both about:buster logs and a new hijackthis log, thank you.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#3 jimmystew

jimmystew

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 04:20 PM

I downloaded the new About:buster. I had used it before, but some site gave me an older version of it. I think the newer version does a better job.
I booted into safe mode and ran about:buster. I forgot to copy the log. So I rebooted back into safe mode again, ran it again, and the this is the log file for it:

-- Scan 1 --------
About:Buster Version 2.0
Deleted Service Key Successfully!
Removed! : C:\WINDOWS\aiqid.dat
Removed! : C:\WINDOWS\yfymq.dat
Removed! : C:\WINDOWS\ynsrg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!


Here is my new log file from Hijack This:

Logfile of HijackThis v1.98.0
Scan saved at 3:13:07 PM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\ch_utility.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Nate\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [Chrontel TV] C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital

Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program

Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {8E66A776-A350-4D69-8783-906DB0E6DF14} (Jaunt Class) -

http://download.jaun...ublic/jaunt.cab

#4 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 04:38 PM

hey

Have hijackthis fix this one:

O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe

reboot into safe mode.

Find and delete:
c:\windows\svchost.exe .... make sure it's the one in the WINDOWS folder!

reboot into normal mode and you should be good to go! How is it?




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#5 jimmystew

jimmystew

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 July 2004 - 05:32 PM

It looks like that took care of it. Thanks for you help! It must have just been that i was using an old version of About:buster. I wish I had known that earlier. That would have saved me a lot of time. I just assumed it was the newest one, because I downloaded it yesterday from Spyware help site.
Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button