Please help me with this! I've run AdAware, SpyBot Search & Destroy AND SpySubtract. I've run CWShredder and it finds nothing. Yet when I go to Ad/Remove Programs, these three spyware programs remain, with no way of uninstalling them. They're hijacking my homepage, creating new unfavorable Favorites, and causing pop-ups. There must be some way of manually uninstalling these programs...can you guys tell me how? Here's my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:27 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\ZyAIR USB Utility\ZyAIR.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\9odbe2sy.slt\prefs.js)
N2 - Netscape 6: user_pref("", "engine://"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\9odbe2sy.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FF523789-72CD-6C7E-44D7-2F02DE395AF2} - C:\WINDOWS\system32\apinh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\Program Files\SafeSurfing\SSUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [netdk32.exe] C:\WINDOWS\netdk32.exe
O4 - HKLM\..\RunOnce: [addnx.exe] C:\WINDOWS\addnx.exe
O4 - HKLM\..\RunOnce: [msek32.exe] C:\WINDOWS\msek32.exe
O4 - HKLM\..\RunOnce: [mfcgy.exe] C:\WINDOWS\mfcgy.exe
O4 - HKLM\..\RunOnce: [atlep.exe] C:\WINDOWS\system32\atlep.exe
O4 - HKLM\..\RunOnce: [sdkue32.exe] C:\WINDOWS\sdkue32.exe
O4 - HKLM\..\RunOnce: [mssz.exe] C:\WINDOWS\mssz.exe
O4 - HKLM\..\RunOnce: [sdkof32.exe] C:\WINDOWS\sdkof32.exe
O4 - HKLM\..\RunOnce: [wintb32.exe] C:\WINDOWS\system32\wintb32.exe
O4 - HKLM\..\RunOnce: [ipub32.exe] C:\WINDOWS\ipub32.exe
O4 - HKLM\..\RunOnce: [ieom32.exe] C:\WINDOWS\ieom32.exe
O4 - HKLM\..\RunOnce: [atlyq.exe] C:\WINDOWS\system32\atlyq.exe
O4 - HKLM\..\RunOnce: [apibd.exe] C:\WINDOWS\apibd.exe
O4 - HKLM\..\RunOnce: [ipxy32.exe] C:\WINDOWS\ipxy32.exe
O4 - HKLM\..\RunOnce: [iprj.exe] C:\WINDOWS\iprj.exe
O4 - HKLM\..\RunOnce: [javarf32.exe] C:\WINDOWS\system32\javarf32.exe
O4 - HKLM\..\RunOnce: [msmh.exe] C:\WINDOWS\msmh.exe
O4 - HKLM\..\RunOnce: [windf.exe] C:\WINDOWS\system32\windf.exe
O4 - HKLM\..\RunOnce: [winkc32.exe] C:\WINDOWS\system32\winkc32.exe
O4 - HKLM\..\RunOnce: [msix32.exe] C:\WINDOWS\msix32.exe
O4 - HKLM\..\RunOnce: [atlhq32.exe] C:\WINDOWS\system32\atlhq32.exe
O4 - HKLM\..\RunOnce: [d3un32.exe] C:\WINDOWS\system32\d3un32.exe
O4 - HKLM\..\RunOnce: [d3ns32.exe] C:\WINDOWS\system32\d3ns32.exe
O4 - HKLM\..\RunOnce: [iegv32.exe] C:\WINDOWS\iegv32.exe
O4 - HKLM\..\RunOnce: [d3er.exe] C:\WINDOWS\d3er.exe
O4 - HKLM\..\RunOnce: [appox.exe] C:\WINDOWS\appox.exe
O4 - HKLM\..\RunOnce: [sdkgr32.exe] C:\WINDOWS\system32\sdkgr32.exe
O4 - HKLM\..\RunOnce: [syseh.exe] C:\WINDOWS\syseh.exe
O4 - HKLM\..\RunOnce: [mshy32.exe] C:\WINDOWS\mshy32.exe
O4 - HKLM\..\RunOnce: [netqm32.exe] C:\WINDOWS\netqm32.exe
O4 - HKLM\..\RunOnce: [msky.exe] C:\WINDOWS\msky.exe
O4 - HKLM\..\RunOnce: [d3op32.exe] C:\WINDOWS\system32\d3op32.exe
O4 - HKLM\..\RunOnce: [nethj32.exe] C:\WINDOWS\nethj32.exe
O4 - HKLM\..\RunOnce: [ntvt.exe] C:\WINDOWS\ntvt.exe
O4 - HKLM\..\RunOnce: [adddh32.exe] C:\WINDOWS\system32\adddh32.exe
O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\ipcs32.exe
O4 - HKLM\..\RunOnce: [winji.exe] C:\WINDOWS\system32\winji.exe
O4 - HKLM\..\RunOnce: [sdkdk.exe] C:\WINDOWS\sdkdk.exe
O4 - HKLM\..\RunOnce: [msqu32.exe] C:\WINDOWS\system32\msqu32.exe
O4 - HKLM\..\RunOnce: [atloz32.exe] C:\WINDOWS\atloz32.exe
O4 - HKLM\..\RunOnce: [appjl.exe] C:\WINDOWS\appjl.exe
O4 - HKLM\..\RunOnce: [wingi32.exe] C:\WINDOWS\wingi32.exe
O4 - HKLM\..\RunOnce: [addgy32.exe] C:\WINDOWS\addgy32.exe
O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe
O4 - HKLM\..\RunOnce: [adddr32.exe] C:\WINDOWS\system32\adddr32.exe
O4 - HKLM\..\RunOnce: [winmz.exe] C:\WINDOWS\winmz.exe
O4 - HKLM\..\RunOnce: [crtn32.exe] C:\WINDOWS\crtn32.exe
O4 - HKLM\..\RunOnce: [addoz32.exe] C:\WINDOWS\system32\addoz32.exe
O4 - HKLM\..\RunOnce: [atlcd32.exe] C:\WINDOWS\system32\atlcd32.exe
O4 - HKLM\..\RunOnce: [msvw32.exe] C:\WINDOWS\system32\msvw32.exe
O4 - HKLM\..\RunOnce: [netvu.exe] C:\WINDOWS\system32\netvu.exe
O4 - HKLM\..\RunOnce: [apisx.exe] C:\WINDOWS\system32\apisx.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\system32\ipgc.exe
O4 - HKLM\..\RunOnce: [ipmz32.exe] C:\WINDOWS\ipmz32.exe
O4 - HKLM\..\RunOnce: [addfs32.exe] C:\WINDOWS\system32\addfs32.exe
O4 - HKLM\..\RunOnce: [winij.exe] C:\WINDOWS\system32\winij.exe
O4 - HKLM\..\RunOnce: [ienb32.exe] C:\WINDOWS\system32\ienb32.exe
O4 - HKLM\..\RunOnce: [crwc.exe] C:\WINDOWS\crwc.exe
O4 - HKLM\..\RunOnce: [mfcwe32.exe] C:\WINDOWS\mfcwe32.exe
O4 - HKLM\..\RunOnce: [javaqp32.exe] C:\WINDOWS\system32\javaqp32.exe
O4 - HKLM\..\RunOnce: [crsw32.exe] C:\WINDOWS\crsw32.exe
O4 - HKLM\..\RunOnce: [ntqt32.exe] C:\WINDOWS\system32\ntqt32.exe
O4 - HKLM\..\RunOnce: [appeg.exe] C:\WINDOWS\appeg.exe
O4 - HKLM\..\RunOnce: [ntig32.exe] C:\WINDOWS\ntig32.exe
O4 - HKLM\..\RunOnce: [atlbh32.exe] C:\WINDOWS\system32\atlbh32.exe
O4 - HKLM\..\RunOnce: [crvs32.exe] C:\WINDOWS\system32\crvs32.exe
O4 - HKLM\..\RunOnce: [winnz.exe] C:\WINDOWS\winnz.exe
O4 - HKLM\..\RunOnce: [ipke.exe] C:\WINDOWS\system32\ipke.exe
O4 - HKLM\..\RunOnce: [msaj32.exe] C:\WINDOWS\msaj32.exe
O4 - HKLM\..\RunOnce: [ntou.exe] C:\WINDOWS\system32\ntou.exe
O4 - HKLM\..\RunOnce: [winqn.exe] C:\WINDOWS\system32\winqn.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe
O4 - HKLM\..\RunOnce: [netnb.exe] C:\WINDOWS\system32\netnb.exe
O4 - HKLM\..\RunOnce: [iekw32.exe] C:\WINDOWS\system32\iekw32.exe
O4 - HKLM\..\RunOnce: [appdv.exe] C:\WINDOWS\system32\appdv.exe
O4 - HKLM\..\RunOnce: [ipnv.exe] C:\WINDOWS\ipnv.exe
O4 - HKLM\..\RunOnce: [mfcrz.exe] C:\WINDOWS\system32\mfcrz.exe
O4 - HKLM\..\RunOnce: [crfe32.exe] C:\WINDOWS\system32\crfe32.exe
O4 - HKLM\..\RunOnce: [netfs32.exe] C:\WINDOWS\system32\netfs32.exe
O4 - HKLM\..\RunOnce: [ipea.exe] C:\WINDOWS\system32\ipea.exe
O4 - HKLM\..\RunOnce: [syshb.exe] C:\WINDOWS\system32\syshb.exe
O4 - HKLM\..\RunOnce: [netwy32.exe] C:\WINDOWS\netwy32.exe
O4 - HKLM\..\RunOnce: [mszy32.exe] C:\WINDOWS\system32\mszy32.exe
O4 - HKLM\..\RunOnce: [msig.exe] C:\WINDOWS\msig.exe
O4 - HKLM\..\RunOnce: [winmk32.exe] C:\WINDOWS\system32\winmk32.exe
O4 - HKLM\..\RunOnce: [atlti.exe] C:\WINDOWS\atlti.exe
O4 - HKLM\..\RunOnce: [crqd32.exe] C:\WINDOWS\system32\crqd32.exe
O4 - HKLM\..\RunOnce: [addpt32.exe] C:\WINDOWS\addpt32.exe
O4 - HKLM\..\RunOnce: [atlob32.exe] C:\WINDOWS\system32\atlob32.exe
O4 - HKLM\..\RunOnce: [mstd.exe] C:\WINDOWS\system32\mstd.exe
O4 - HKLM\..\RunOnce: [addna32.exe] C:\WINDOWS\system32\addna32.exe
O4 - HKLM\..\RunOnce: [apips32.exe] C:\WINDOWS\apips32.exe
O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\system32\winun.exe
O4 - HKLM\..\RunOnce: [syssi32.exe] C:\WINDOWS\system32\syssi32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZyAIR USB Utility.lnk = C:\Program Files\ZyAIR USB Utility\ZyAIR.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,9/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addnx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you SO MUCH in advance! You guys rock!


Recommended Answers

what does it set your homepage to (about.blank). Microsoft anti spyware may be able to help but if it is about.blank it can be a real pain to get rid of.

Jump to Post

All 4 Replies

what does it set your homepage to (about.blank). Microsoft anti spyware may be able to help but if it is about.blank it can be a real pain to get rid of.

Yeah, it sets it to about:blank, which is some kind of "quick search" garbage.

Yikes! :eek::eek:

That's an extremely heavy infestation; We'll need much more than HijackThis to fix things.

1. Download the following three utilities and run them consecutively:


CWShredder and about:Buster have an online update function; use that before having them scan and fix. For CWShredder, click the "Fix" button, not the "Scan" button. about:Buster and HSRemove are pretty self-explanatory; just follow their prompts.

2. Download, install, and run:

ewido Security Suite (free trial version)
Microsoft AntiSpyware beta

Again- check for updates first, and then have each program scan your system and fix what it finds.

3. Go to the following sites and run their free online virus/spyware scans. Let them clean what they find:

4. Reboot your computer, run HiajckThis again, and post a new log.

Some Spywares effect antivirus programs.So before running the online virus programs go into Safemode with networking and then run the program. Trend Micro is the one I like.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.