Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

Home Search Assistant, Shopping Wizard, Search Extender

•

Join Date: May 2005

Posts: 8

Reputation: Linchey050 is an unknown quantity at this point

Solved Threads: 0

Linchey050 Linchey050 is offline

Offline

Newbie Poster

Home Search Assistant, Shopping Wizard, Search Extender

May 9th, 2005

I was trying get my AIM to work, because every time I try to open an IM box, the whole thing closes, and I went to the aim site, and it said that if i had these three programs, it might be causing it and to delete it...Well I can't delete them!!! and my AIM still doesn't work and i have tons of popups and other annoyances on here...how can i delete them??

(Related Thread -- http://www.daniweb.com/techtalkforums/thread23313.html)

Last edited by dlh6213; May 10th, 2005 at 3:08 am. Reason: Added related thread by same user

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 10th, 2005

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Links to help you help yourself :

Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html

Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html

Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html

•

Join Date: May 2005

Posts: 8

Reputation: Linchey050 is an unknown quantity at this point

Solved Threads: 0

Linchey050 Linchey050 is offline

Offline

Newbie Poster

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 12th, 2005

ok so i did this...please help it would mean so much!!

Logfile of HijackThis v1.99.1
Scan saved at 9:43:07 PM, on 5/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntbp32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst10.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst11.tmp
C:\PROGRA~1\AIM\WxBug.EXE
C:\DOCUME~1\Sarah\LOCALS~1\Temp\GLB12.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1B.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1E.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sarah\LOCALS~1\Temp\nst1F.tmp
C:\DOCUME~1\Sarah\LOCALS~1\Temp\AIMWDInstallStripped.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ngrog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {79FED68F-557B-E50C-4282-87434007B6F9} - C:\WINDOWS\atlom32.dll
O2 - BHO: Class - {F99061EE-BCEC-AA3C-EDD1-FD4D490410FD} - C:\WINDOWS\system32\wincn.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [addav32.exe] C:\WINDOWS\system32\addav32.exe
O4 - HKLM\..\RunOnce: [sdkno32.exe] C:\WINDOWS\sdkno32.exe
O4 - HKLM\..\RunOnce: [crkn32.exe] C:\WINDOWS\crkn32.exe
O4 - HKLM\..\RunOnce: [mstg.exe] C:\WINDOWS\mstg.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKLM\..\RunOnce: [javaai32.exe] C:\WINDOWS\system32\javaai32.exe
O4 - HKLM\..\RunOnce: [sdkdr.exe] C:\WINDOWS\sdkdr.exe
O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\system32\d3vc.exe
O4 - HKLM\..\RunOnce: [netxz32.exe] C:\WINDOWS\system32\netxz32.exe
O4 - HKLM\..\RunOnce: [netlo32.exe] C:\WINDOWS\netlo32.exe
O4 - HKLM\..\RunOnce: [apihq.exe] C:\WINDOWS\system32\apihq.exe
O4 - HKLM\..\RunOnce: [netag32.exe] C:\WINDOWS\netag32.exe
O4 - HKLM\..\RunOnce: [syspe.exe] C:\WINDOWS\system32\syspe.exe
O4 - HKLM\..\RunOnce: [atlfq.exe] C:\WINDOWS\system32\atlfq.exe
O4 - HKLM\..\RunOnce: [msxb.exe] C:\WINDOWS\msxb.exe
O4 - HKLM\..\RunOnce: [sdklh32.exe] C:\WINDOWS\sdklh32.exe
O4 - HKLM\..\RunOnce: [msak.exe] C:\WINDOWS\msak.exe
O4 - HKLM\..\RunOnce: [netpj32.exe] C:\WINDOWS\system32\netpj32.exe
O4 - HKLM\..\RunOnce: [javanq.exe] C:\WINDOWS\system32\javanq.exe
O4 - HKLM\..\RunOnce: [ntpw.exe] C:\WINDOWS\ntpw.exe
O4 - HKLM\..\RunOnce: [javalx.exe] C:\WINDOWS\javalx.exe
O4 - HKLM\..\RunOnce: [iebg.exe] C:\WINDOWS\iebg.exe
O4 - HKLM\..\RunOnce: [winzi.exe] C:\WINDOWS\winzi.exe
O4 - HKLM\..\RunOnce: [sysbu.exe] C:\WINDOWS\sysbu.exe
O4 - HKLM\..\RunOnce: [winwj32.exe] C:\WINDOWS\system32\winwj32.exe
O4 - HKLM\..\RunOnce: [crfy32.exe] C:\WINDOWS\system32\crfy32.exe
O4 - HKLM\..\RunOnce: [ipdn.exe] C:\WINDOWS\ipdn.exe
O4 - HKLM\..\RunOnce: [ipuk32.exe] C:\WINDOWS\ipuk32.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\appcd32.exe
O4 - HKLM\..\RunOnce: [crtf.exe] C:\WINDOWS\crtf.exe
O4 - HKLM\..\RunOnce: [addry.exe] C:\WINDOWS\system32\addry.exe
O4 - HKLM\..\RunOnce: [ietl32.exe] C:\WINDOWS\system32\ietl32.exe
O4 - HKLM\..\RunOnce: [syspt.exe] C:\WINDOWS\system32\syspt.exe
O4 - HKLM\..\RunOnce: [ieab.exe] C:\WINDOWS\system32\ieab.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...84/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 13th, 2005

Part of your problem may stem from the use of file-sharing programs (aka P2P), such as Warez.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Before fixing anything with hijackthis, you still should put it into it's own folder. to do this, right-click on an empty area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Then close any open browser windows, scan with hijackthis, and post a new log please.

•

Join Date: May 2005

Posts: 8

Reputation: Linchey050 is an unknown quantity at this point

Solved Threads: 0

Linchey050 Linchey050 is offline

Offline

Newbie Poster

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 13th, 2005

deleted about 22 temp files and a bunch of cookies...here is the new product

Logfile of HijackThis v1.99.1
Scan saved at 3:01:36 PM, on 5/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\nteb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bebvu.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F99061EE-BCEC-AA3C-EDD1-FD4D490410FD} - C:\WINDOWS\system32\wincn.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [msei.exe] C:\WINDOWS\msei.exe
O4 - HKLM\..\RunOnce: [mfcfi.exe] C:\WINDOWS\mfcfi.exe
O4 - HKLM\..\RunOnce: [msoc.exe] C:\WINDOWS\system32\msoc.exe
O4 - HKLM\..\RunOnce: [ipcn.exe] C:\WINDOWS\ipcn.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\system32\javafd.exe
O4 - HKLM\..\RunOnce: [netqy32.exe] C:\WINDOWS\netqy32.exe
O4 - HKLM\..\RunOnce: [nettl.exe] C:\WINDOWS\system32\nettl.exe
O4 - HKLM\..\RunOnce: [adddb32.exe] C:\WINDOWS\adddb32.exe
O4 - HKLM\..\RunOnce: [winmb32.exe] C:\WINDOWS\system32\winmb32.exe
O4 - HKLM\..\RunOnce: [ipao32.exe] C:\WINDOWS\system32\ipao32.exe
O4 - HKLM\..\RunOnce: [addjk.exe] C:\WINDOWS\addjk.exe
O4 - HKLM\..\RunOnce: [croe32.exe] C:\WINDOWS\croe32.exe
O4 - HKLM\..\RunOnce: [ipwv.exe] C:\WINDOWS\ipwv.exe
O4 - HKLM\..\RunOnce: [wintg32.exe] C:\WINDOWS\system32\wintg32.exe
O4 - HKLM\..\RunOnce: [crps32.exe] C:\WINDOWS\system32\crps32.exe
O4 - HKLM\..\RunOnce: [atlyi.exe] C:\WINDOWS\atlyi.exe
O4 - HKLM\..\RunOnce: [mfchu32.exe] C:\WINDOWS\mfchu32.exe
O4 - HKLM\..\RunOnce: [sdkzq32.exe] C:\WINDOWS\system32\sdkzq32.exe
O4 - HKLM\..\RunOnce: [netoz.exe] C:\WINDOWS\system32\netoz.exe
O4 - HKLM\..\RunOnce: [ienc32.exe] C:\WINDOWS\system32\ienc32.exe
O4 - HKLM\..\RunOnce: [sdkaw32.exe] C:\WINDOWS\sdkaw32.exe
O4 - HKLM\..\RunOnce: [iels32.exe] C:\WINDOWS\iels32.exe
O4 - HKLM\..\RunOnce: [iepf.exe] C:\WINDOWS\iepf.exe
O4 - HKLM\..\RunOnce: [msan.exe] C:\WINDOWS\msan.exe
O4 - HKLM\..\RunOnce: [atltj32.exe] C:\WINDOWS\atltj32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...84/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

•

Join Date: Jul 2004

Posts: 2,964

Reputation: dlh6213 is on a distinguished road

Solved Threads: 210

dlh6213

Offline

Posting Maven

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 14th, 2005

You missed a couple of steps

Before fixing anything with hijackthis, you still should put it into it's own folder. To do this, right-click on an empty area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Then close any open browser windows, scan with hijackthis, and post a new log please.

•

Join Date: May 2005

Posts: 8

Reputation: Linchey050 is an unknown quantity at this point

Solved Threads: 0

Linchey050 Linchey050 is offline

Offline

Newbie Poster

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 14th, 2005

Ok...I think i did it right this time!!! :o

Logfile of HijackThis v1.99.1
Scan saved at 1:29:49 PM, on 5/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\d3gx32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Sarah\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ckyda.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BC3F7BC-69C1-08BC-EB9C-EC3C41D197CF} - C:\WINDOWS\appsw.dll
O2 - BHO: Class - {FD53AF3D-B5A4-3DEC-C009-E2E6791F3EE9} - C:\WINDOWS\system32\iezy32.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=051704 serial=WP12WCX-0100896-SXR
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3gx32.exe] C:\WINDOWS\system32\d3gx32.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [nteb.exe] C:\WINDOWS\system32\nteb.exe
O4 - HKLM\..\Run: [ntbp32.exe] C:\WINDOWS\system32\ntbp32.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [d3un.exe] C:\WINDOWS\system32\d3un.exe
O4 - HKLM\..\RunOnce: [addfx.exe] C:\WINDOWS\system32\addfx.exe
O4 - HKLM\..\RunOnce: [aping.exe] C:\WINDOWS\system32\aping.exe
O4 - HKLM\..\RunOnce: [crfv.exe] C:\WINDOWS\crfv.exe
O4 - HKLM\..\RunOnce: [netsx32.exe] C:\WINDOWS\netsx32.exe
O4 - HKLM\..\RunOnce: [addmc.exe] C:\WINDOWS\addmc.exe
O4 - HKLM\..\RunOnce: [appgv32.exe] C:\WINDOWS\appgv32.exe
O4 - HKLM\..\RunOnce: [winkp32.exe] C:\WINDOWS\system32\winkp32.exe
O4 - HKLM\..\RunOnce: [atlou.exe] C:\WINDOWS\system32\atlou.exe
O4 - HKLM\..\RunOnce: [sysct32.exe] C:\WINDOWS\sysct32.exe
O4 - HKLM\..\RunOnce: [d3ex.exe] C:\WINDOWS\system32\d3ex.exe
O4 - HKLM\..\RunOnce: [ntdj.exe] C:\WINDOWS\system32\ntdj.exe
O4 - HKLM\..\RunOnce: [msmy.exe] C:\WINDOWS\msmy.exe
O4 - HKLM\..\RunOnce: [netaa.exe] C:\WINDOWS\system32\netaa.exe
O4 - HKLM\..\RunOnce: [sdkie.exe] C:\WINDOWS\sdkie.exe
O4 - HKLM\..\RunOnce: [ieta32.exe] C:\WINDOWS\system32\ieta32.exe
O4 - HKLM\..\RunOnce: [netzu32.exe] C:\WINDOWS\system32\netzu32.exe
O4 - HKLM\..\RunOnce: [sysnx.exe] C:\WINDOWS\sysnx.exe
O4 - HKLM\..\RunOnce: [atlcv32.exe] C:\WINDOWS\atlcv32.exe
O4 - HKLM\..\RunOnce: [apiax.exe] C:\WINDOWS\apiax.exe
O4 - HKLM\..\RunOnce: [apppo.exe] C:\WINDOWS\apppo.exe
O4 - HKLM\..\RunOnce: [apidm.exe] C:\WINDOWS\system32\apidm.exe
O4 - HKLM\..\RunOnce: [appsb32.exe] C:\WINDOWS\system32\appsb32.exe
O4 - HKLM\..\RunOnce: [iero32.exe] C:\WINDOWS\system32\iero32.exe
O4 - HKLM\..\RunOnce: [wincz.exe] C:\WINDOWS\system32\wincz.exe
O4 - HKLM\..\RunOnce: [sysmg.exe] C:\WINDOWS\sysmg.exe
O4 - HKLM\..\RunOnce: [iexl32.exe] C:\WINDOWS\iexl32.exe
O4 - HKLM\..\RunOnce: [atlqh.exe] C:\WINDOWS\atlqh.exe
O4 - HKLM\..\RunOnce: [mfcww32.exe] C:\WINDOWS\system32\mfcww32.exe
O4 - HKLM\..\RunOnce: [sdkos32.exe] C:\WINDOWS\sdkos32.exe
O4 - HKLM\..\RunOnce: [sdklv32.exe] C:\WINDOWS\sdklv32.exe
O4 - HKLM\..\RunOnce: [mfctd32.exe] C:\WINDOWS\mfctd32.exe
O4 - HKLM\..\RunOnce: [syshf.exe] C:\WINDOWS\syshf.exe
O4 - HKLM\..\RunOnce: [apijd32.exe] C:\WINDOWS\system32\apijd32.exe
O4 - HKLM\..\RunOnce: [appsw.exe] C:\WINDOWS\appsw.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...84/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 362

DMR

Offline

Wombat At Large

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 14th, 2005

Blech! That log is still a right mess; you have numerous infections.

Let's see if we can some of it cleaned up with a few automated utilities before digging in with HJT and manual removal methods

1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/actives..._principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed). After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

About:Buster
HSRemove
ewido Security Suite
Microsoft Anti-Spyware beta
Ad Aware SE Personal
SpyBot Search & Destroy

3. Run HiajckThis again and post a fresh log.

"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.

•

Join Date: May 2005

Posts: 8

Reputation: Linchey050 is an unknown quantity at this point

Solved Threads: 0

Linchey050 Linchey050 is offline

Offline

Newbie Poster

Re: Home Search Assistant, Shopping Wizard, Search Extender

May 25th, 2005

Ok...It took a while to get all of this done...or at least I think it all is. I downloaded a lot of it, but had to run it all a LOT. The Ewido one would error in the middle and a diff. would freeze...I dunno, but I think it's a little better today, so I ran a HiJack log.

Logfile of HijackThis v1.99.1
Scan saved at 8:02:39 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntht32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sarah\Desktop\Anti-Bad\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {46DF3BCE-821E-D3DD-3C76-56A4F7ADF988} - C:\WINDOWS\iexo.dll
O2 - BHO: Class - {8F6CE7E6-1006-35E7-C881-E904D5149F8D} - C:\WINDOWS\ntam.dll
O2 - BHO: Class - {E684A367-9097-B604-A183-5AAD9939B58C} - C:\WINDOWS\system32\sdktb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\Run: [ntht32.exe] C:\WINDOWS\ntht32.exe
O4 - HKLM\..\RunOnce: [ipnz.exe] C:\WINDOWS\ipnz.exe
O4 - HKLM\..\RunOnce: [ipma32.exe] C:\WINDOWS\ipma32.exe
O4 - HKLM\..\RunOnce: [msnj32.exe] C:\WINDOWS\msnj32.exe
O4 - HKLM\..\RunOnce: [crlc.exe] C:\WINDOWS\crlc.exe
O4 - HKLM\..\RunOnce: [wingd.exe] C:\WINDOWS\wingd.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\sysfy32.exe
O4 - HKLM\..\RunOnce: [ipzk32.exe] C:\WINDOWS\ipzk32.exe
O4 - HKLM\..\RunOnce: [addkd32.exe] C:\WINDOWS\addkd32.exe
O4 - HKLM\..\RunOnce: [mfcda.exe] C:\WINDOWS\mfcda.exe
O4 - HKLM\..\RunOnce: [netha32.exe] C:\WINDOWS\system32\netha32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...84/mcfscan.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 362

DMR

Offline

Wombat At Large

Re: Home Search Assistant, Shopping Wizard, Search Extender

#10

May 27th, 2005

The detection and removal programs I asked you to run don't seem to have done their jobs as well as they should have. Please do the following:

Print out the instructions below or save them into a text file using Windows Notepad; you will not have access to the Internet during most of this troubleshoot:

1. - Uninstall WeatherBug; it contains spyware components.

- Uninstall SpyFighter; it is a disreputable product which, among other things, returns "false positives" in it scans. Before installing any "anti-spyware" product, you should consult this list to verify the product's legitimacy; there are a lot of imposters and frauds out there.

- You should uninstall Warez P2P, although that choice is yours. Aside from the obvious legal issues, filesharing is one of the primary ways through which people become infected with spyware and adware.

2. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up), and run all of the utilities I listed in #2 of last post again; have each utility fix everything it finds. Running the utilities in Safe Mode might enable them to do a more thorough cleaning.

3. While still in Safe Mode, run HijackThis and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jwhog.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {46DF3BCE-821E-D3DD-3C76-56A4F7ADF988} - C:\WINDOWS\iexo.dll
O2 - BHO: Class - {8F6CE7E6-1006-35E7-C881-E904D5149F8D} - C:\WINDOWS\ntam.dll
O2 - BHO: Class - {E684A367-9097-B604-A183-5AAD9939B58C} - C:\WINDOWS\system32\sdktb.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\Run: [ntht32.exe] C:\WINDOWS\ntht32.exe
O4 - HKLM\..\RunOnce: [ipnz.exe] C:\WINDOWS\ipnz.exe
O4 - HKLM\..\RunOnce: [ipma32.exe] C:\WINDOWS\ipma32.exe
O4 - HKLM\..\RunOnce: [msnj32.exe] C:\WINDOWS\msnj32.exe
O4 - HKLM\..\RunOnce: [crlc.exe] C:\WINDOWS\crlc.exe
O4 - HKLM\..\RunOnce: [wingd.exe] C:\WINDOWS\wingd.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\sysfy32.exe
O4 - HKLM\..\RunOnce: [ipzk32.exe] C:\WINDOWS\ipzk32.exe
O4 - HKLM\..\RunOnce: [addkd32.exe] C:\WINDOWS\addkd32.exe
O4 - HKLM\..\RunOnce: [mfcda.exe] C:\WINDOWS\mfcda.exe
O4 - HKLM\..\RunOnce: [netha32.exe] C:\WINDOWS\system32\netha32.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\javasz.exe (file missing)

4. While still in Safe Mode:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following folders entirely:
C:\Program Files\SpyFighter
C:\Program Files\Warez P2P
C:\PROGRAM Files\AWS

- Locate and delete the following files:
C:\WINDOWS\jwhog.dll
C:\WINDOWS\iexo.dll
C:\WINDOWS\ntam.dll
C:\WINDOWS\system32\sdktb.dll
C:\WINDOWS\system32\appyh32.exe
C:\WINDOWS\ntht32.exe
C:\WINDOWS\ipnz.exe
C:\WINDOWS\ipma32.exe
C:\WINDOWS\msnj32.exe
C:\WINDOWS\crlc.exe
C:\WINDOWS\wingd.exe
C:\WINDOWS\sysfy32.exe
C:\WINDOWS\ipzk32.exe
C:\WINDOWS\addkd32.exe
C:\WINDOWS\mfcda.exe
C:\WINDOWS\system32\netha32.exe
C:\WINDOWS\system32\javasz.exe

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

5. Run HJT again and post a new log.