Please help me with this! I've run AdAware, SpyBot Search & Destroy AND SpySubtract. I've run CWShredder and it finds nothing. Yet when I go to Ad/Remove Programs, these three spyware programs remain, with no way of uninstalling them. They're hijacking my homepage, creating new unfavorable Favorites, and causing pop-ups. There must be some way of manually uninstalling these programs...can you guys tell me how? Here's my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:27 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\ZyAIR USB Utility\ZyAIR.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gjuay.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\9odbe2sy.slt\prefs.js)
N2 - Netscape 6: user_pref("", "engine://"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\9odbe2sy.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FF523789-72CD-6C7E-44D7-2F02DE395AF2} - C:\WINDOWS\system32\apinh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\Program Files\SafeSurfing\SSUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [netdk32.exe] C:\WINDOWS\netdk32.exe
O4 - HKLM\..\RunOnce: [addnx.exe] C:\WINDOWS\addnx.exe
O4 - HKLM\..\RunOnce: [msek32.exe] C:\WINDOWS\msek32.exe
O4 - HKLM\..\RunOnce: [mfcgy.exe] C:\WINDOWS\mfcgy.exe
O4 - HKLM\..\RunOnce: [atlep.exe] C:\WINDOWS\system32\atlep.exe
O4 - HKLM\..\RunOnce: [sdkue32.exe] C:\WINDOWS\sdkue32.exe
O4 - HKLM\..\RunOnce: [mssz.exe] C:\WINDOWS\mssz.exe
O4 - HKLM\..\RunOnce: [sdkof32.exe] C:\WINDOWS\sdkof32.exe
O4 - HKLM\..\RunOnce: [wintb32.exe] C:\WINDOWS\system32\wintb32.exe
O4 - HKLM\..\RunOnce: [ipub32.exe] C:\WINDOWS\ipub32.exe
O4 - HKLM\..\RunOnce: [ieom32.exe] C:\WINDOWS\ieom32.exe
O4 - HKLM\..\RunOnce: [atlyq.exe] C:\WINDOWS\system32\atlyq.exe
O4 - HKLM\..\RunOnce: [apibd.exe] C:\WINDOWS\apibd.exe
O4 - HKLM\..\RunOnce: [ipxy32.exe] C:\WINDOWS\ipxy32.exe
O4 - HKLM\..\RunOnce: [iprj.exe] C:\WINDOWS\iprj.exe
O4 - HKLM\..\RunOnce: [javarf32.exe] C:\WINDOWS\system32\javarf32.exe
O4 - HKLM\..\RunOnce: [msmh.exe] C:\WINDOWS\msmh.exe
O4 - HKLM\..\RunOnce: [windf.exe] C:\WINDOWS\system32\windf.exe
O4 - HKLM\..\RunOnce: [winkc32.exe] C:\WINDOWS\system32\winkc32.exe
O4 - HKLM\..\RunOnce: [msix32.exe] C:\WINDOWS\msix32.exe
O4 - HKLM\..\RunOnce: [atlhq32.exe] C:\WINDOWS\system32\atlhq32.exe
O4 - HKLM\..\RunOnce: [d3un32.exe] C:\WINDOWS\system32\d3un32.exe
O4 - HKLM\..\RunOnce: [d3ns32.exe] C:\WINDOWS\system32\d3ns32.exe
O4 - HKLM\..\RunOnce: [iegv32.exe] C:\WINDOWS\iegv32.exe
O4 - HKLM\..\RunOnce: [d3er.exe] C:\WINDOWS\d3er.exe
O4 - HKLM\..\RunOnce: [appox.exe] C:\WINDOWS\appox.exe
O4 - HKLM\..\RunOnce: [sdkgr32.exe] C:\WINDOWS\system32\sdkgr32.exe
O4 - HKLM\..\RunOnce: [syseh.exe] C:\WINDOWS\syseh.exe
O4 - HKLM\..\RunOnce: [mshy32.exe] C:\WINDOWS\mshy32.exe
O4 - HKLM\..\RunOnce: [netqm32.exe] C:\WINDOWS\netqm32.exe
O4 - HKLM\..\RunOnce: [msky.exe] C:\WINDOWS\msky.exe
O4 - HKLM\..\RunOnce: [d3op32.exe] C:\WINDOWS\system32\d3op32.exe
O4 - HKLM\..\RunOnce: [nethj32.exe] C:\WINDOWS\nethj32.exe
O4 - HKLM\..\RunOnce: [ntvt.exe] C:\WINDOWS\ntvt.exe
O4 - HKLM\..\RunOnce: [adddh32.exe] C:\WINDOWS\system32\adddh32.exe
O4 - HKLM\..\RunOnce: [iete.exe] C:\WINDOWS\system32\iete.exe
O4 - HKLM\..\RunOnce: [ipcs32.exe] C:\WINDOWS\ipcs32.exe
O4 - HKLM\..\RunOnce: [winji.exe] C:\WINDOWS\system32\winji.exe
O4 - HKLM\..\RunOnce: [sdkdk.exe] C:\WINDOWS\sdkdk.exe
O4 - HKLM\..\RunOnce: [msqu32.exe] C:\WINDOWS\system32\msqu32.exe
O4 - HKLM\..\RunOnce: [atloz32.exe] C:\WINDOWS\atloz32.exe
O4 - HKLM\..\RunOnce: [appjl.exe] C:\WINDOWS\appjl.exe
O4 - HKLM\..\RunOnce: [wingi32.exe] C:\WINDOWS\wingi32.exe
O4 - HKLM\..\RunOnce: [addgy32.exe] C:\WINDOWS\addgy32.exe
O4 - HKLM\..\RunOnce: [javaom.exe] C:\WINDOWS\javaom.exe
O4 - HKLM\..\RunOnce: [adddr32.exe] C:\WINDOWS\system32\adddr32.exe
O4 - HKLM\..\RunOnce: [winmz.exe] C:\WINDOWS\winmz.exe
O4 - HKLM\..\RunOnce: [crtn32.exe] C:\WINDOWS\crtn32.exe
O4 - HKLM\..\RunOnce: [addoz32.exe] C:\WINDOWS\system32\addoz32.exe
O4 - HKLM\..\RunOnce: [atlcd32.exe] C:\WINDOWS\system32\atlcd32.exe
O4 - HKLM\..\RunOnce: [msvw32.exe] C:\WINDOWS\system32\msvw32.exe
O4 - HKLM\..\RunOnce: [netvu.exe] C:\WINDOWS\system32\netvu.exe
O4 - HKLM\..\RunOnce: [apisx.exe] C:\WINDOWS\system32\apisx.exe
O4 - HKLM\..\RunOnce: [ipgc.exe] C:\WINDOWS\system32\ipgc.exe
O4 - HKLM\..\RunOnce: [ipmz32.exe] C:\WINDOWS\ipmz32.exe
O4 - HKLM\..\RunOnce: [addfs32.exe] C:\WINDOWS\system32\addfs32.exe
O4 - HKLM\..\RunOnce: [winij.exe] C:\WINDOWS\system32\winij.exe
O4 - HKLM\..\RunOnce: [ienb32.exe] C:\WINDOWS\system32\ienb32.exe
O4 - HKLM\..\RunOnce: [crwc.exe] C:\WINDOWS\crwc.exe
O4 - HKLM\..\RunOnce: [mfcwe32.exe] C:\WINDOWS\mfcwe32.exe
O4 - HKLM\..\RunOnce: [javaqp32.exe] C:\WINDOWS\system32\javaqp32.exe
O4 - HKLM\..\RunOnce: [crsw32.exe] C:\WINDOWS\crsw32.exe
O4 - HKLM\..\RunOnce: [ntqt32.exe] C:\WINDOWS\system32\ntqt32.exe
O4 - HKLM\..\RunOnce: [appeg.exe] C:\WINDOWS\appeg.exe
O4 - HKLM\..\RunOnce: [ntig32.exe] C:\WINDOWS\ntig32.exe
O4 - HKLM\..\RunOnce: [atlbh32.exe] C:\WINDOWS\system32\atlbh32.exe
O4 - HKLM\..\RunOnce: [crvs32.exe] C:\WINDOWS\system32\crvs32.exe
O4 - HKLM\..\RunOnce: [winnz.exe] C:\WINDOWS\winnz.exe
O4 - HKLM\..\RunOnce: [ipke.exe] C:\WINDOWS\system32\ipke.exe
O4 - HKLM\..\RunOnce: [msaj32.exe] C:\WINDOWS\msaj32.exe
O4 - HKLM\..\RunOnce: [ntou.exe] C:\WINDOWS\system32\ntou.exe
O4 - HKLM\..\RunOnce: [winqn.exe] C:\WINDOWS\system32\winqn.exe
O4 - HKLM\..\RunOnce: [ipfs32.exe] C:\WINDOWS\ipfs32.exe
O4 - HKLM\..\RunOnce: [netnb.exe] C:\WINDOWS\system32\netnb.exe
O4 - HKLM\..\RunOnce: [iekw32.exe] C:\WINDOWS\system32\iekw32.exe
O4 - HKLM\..\RunOnce: [appdv.exe] C:\WINDOWS\system32\appdv.exe
O4 - HKLM\..\RunOnce: [ipnv.exe] C:\WINDOWS\ipnv.exe
O4 - HKLM\..\RunOnce: [mfcrz.exe] C:\WINDOWS\system32\mfcrz.exe
O4 - HKLM\..\RunOnce: [crfe32.exe] C:\WINDOWS\system32\crfe32.exe
O4 - HKLM\..\RunOnce: [netfs32.exe] C:\WINDOWS\system32\netfs32.exe
O4 - HKLM\..\RunOnce: [ipea.exe] C:\WINDOWS\system32\ipea.exe
O4 - HKLM\..\RunOnce: [syshb.exe] C:\WINDOWS\system32\syshb.exe
O4 - HKLM\..\RunOnce: [netwy32.exe] C:\WINDOWS\netwy32.exe
O4 - HKLM\..\RunOnce: [mszy32.exe] C:\WINDOWS\system32\mszy32.exe
O4 - HKLM\..\RunOnce: [msig.exe] C:\WINDOWS\msig.exe
O4 - HKLM\..\RunOnce: [winmk32.exe] C:\WINDOWS\system32\winmk32.exe
O4 - HKLM\..\RunOnce: [atlti.exe] C:\WINDOWS\atlti.exe
O4 - HKLM\..\RunOnce: [crqd32.exe] C:\WINDOWS\system32\crqd32.exe
O4 - HKLM\..\RunOnce: [addpt32.exe] C:\WINDOWS\addpt32.exe
O4 - HKLM\..\RunOnce: [atlob32.exe] C:\WINDOWS\system32\atlob32.exe
O4 - HKLM\..\RunOnce: [mstd.exe] C:\WINDOWS\system32\mstd.exe
O4 - HKLM\..\RunOnce: [addna32.exe] C:\WINDOWS\system32\addna32.exe
O4 - HKLM\..\RunOnce: [apips32.exe] C:\WINDOWS\apips32.exe
O4 - HKLM\..\RunOnce: [winun.exe] C:\WINDOWS\system32\winun.exe
O4 - HKLM\..\RunOnce: [syssi32.exe] C:\WINDOWS\system32\syssi32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZyAIR USB Utility.lnk = C:\Program Files\ZyAIR USB Utility\ZyAIR.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} (Wavexpress Cab Helper) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,9/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addnx.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you SO MUCH in advance! You guys rock!


Recommended Answers

All 4 Replies

what does it set your homepage to (about.blank). Microsoft anti spyware may be able to help but if it is about.blank it can be a real pain to get rid of.

Yeah, it sets it to about:blank, which is some kind of "quick search" garbage.

Yikes! :eek::eek:

That's an extremely heavy infestation; We'll need much more than HijackThis to fix things.

1. Download the following three utilities and run them consecutively:


CWShredder and about:Buster have an online update function; use that before having them scan and fix. For CWShredder, click the "Fix" button, not the "Scan" button. about:Buster and HSRemove are pretty self-explanatory; just follow their prompts.

2. Download, install, and run:

ewido Security Suite (free trial version)
Microsoft AntiSpyware beta

Again- check for updates first, and then have each program scan your system and fix what it finds.

3. Go to the following sites and run their free online virus/spyware scans. Let them clean what they find:

4. Reboot your computer, run HiajckThis again, and post a new log.

Some Spywares effect antivirus programs.So before running the online virus programs go into Safemode with networking and then run the program. Trend Micro is the one I like.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.