0

Need help trying to remove the search assistant. Any advice would be greatly appreciated. Also, unable to update windows with the latest updates or install quicktime.


Logfile of HijackThis v1.99.1
Scan saved at 11:01:42 AM, on 8/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Scott\Desktop\Spyware Removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\9nw2wmzr.slt\prefs.js)
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [p73O3nW] ifmdle.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Winzip Taskmngr] C:\update.exe
O4 - HKLM\..\Run: [VideoraConverter] C:\Program Files\VideoraConverter\VideoraConverter.exe -t
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Scott\Desktop\Spyware Removal\HijackThis.exe /startupscan
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Hijack log...

2
Contributors
5
Replies
6
Views
10 Years
Discussion Span
Last Post by tinahakina
0

tinahakina, if you just do the following it should help. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKLM\..\Run: [p73O3nW] ifmdle.exe
O4 - HKLM\..\Run: [Winzip Taskmngr] C:\update.exe
O4 - Startup: PowerReg Scheduler V3.exe

Then delete these files:
C:\update.exe
Delete this directory:
C:\Program Files\powerreg

In addition you could run ComboFix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post that log plus a fresh hijackthis log with your comments also.

0

Thanks for your help!
Log is below:


Logfile of HijackThis v1.99.1

Scan saved at 12:23:08 PM, on 8/15/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Documents and Settings\Scott\Desktop\Spyware Removal\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

c:\program files\internet explorer\iexplore.exe

C:\WINDOWS\SoftwareDistribution\Download\fefe9529e7158e83ef9ac9ad7f6b2bb4\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Scott\Application Data\Mozilla\Profiles\default\9nw2wmzr.slt\prefs.js)

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper

O4 - HKLM\..\Run: [VideoraConverter] C:\Program Files\VideoraConverter\VideoraConverter.exe -t

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe

O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Scott\Desktop\Spyware Removal\HijackThis.exe /startupscan

O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

0

Current Status:
Internet Explorer is constantly trying to check to be the default browser.
I have not launched any application.

ComboFix log below as requested:

ComboFix 07-08-14.4 - "Scott" 2007-08-15 12:04:53.1 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.364 [GMT -4:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode

C:\DOCUME~1\Scott\APPLIC~1\install.dat

C:\DOCUME~1\Scottie\APPLIC~1\..\err.log

C:\DOCUME~1\Scottie\APPLIC~1\..\ResErrors.log

C:\DOCUME~1\Scottie\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\Scottie\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log

C:\Program Files\Common Files\download

C:\Program Files\Common Files\uninstall information

C:\Program Files\Common Files\winantivirus pro 2007

C:\Program Files\Common Files\windows

C:\Program Files\Internet Explorer\zyxo.html

C:\Program Files\ipwindows

C:\Program Files\Outlook Express\zyxo.html

C:\Program Files\system files

C:\Program Files\WindowsUpdate\zyxo.html

C:\temp\0b9

C:\temp\0b9\tmpTF.log

C:\temp\tn3

C:\WINDOWS\system32\__c00B9C40.dat

C:\WINDOWS\system32\__c00BAF1.dat

C:\WINDOWS\system32\bqiuccfi.dll

C:\WINDOWS\SYSTEM32\cylesemm.ini

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\core.sys

C:\WINDOWS\system32\drivers\sfsync02.sys

C:\WINDOWS\system32\ivqhfghs.dll

C:\WINDOWS\system32\mmeselyc.dll

C:\WINDOWS\SYSTEM32\naqigiln.ini

C:\WINDOWS\system32\nligiqan.dll

C:\WINDOWS\system32\T3

C:\WINDOWS\system32\T4

C:\WINDOWS\system32\T6

C:\WINDOWS\system32\ventaa.exe

C:\WINDOWS\system32\vmss

C:\WINDOWS\system32\zxdnt3d.cfg

C:\WINDOWS\win320675886172006.exe

C:\xcrashdump.dat

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE

-------\LEGACY_CORE

-------\LEGACY_DOMAINSERVICE

-------\LEGACY_FOPN

-------\LEGACY_SFSYNC02

-------\core

-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))

2007-08-15 09:51 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-14 14:37 <DIR> d-------- C:\DOCUME~1\Scott\APPLIC~1\Talkback

2007-08-14 10:34 <DIR> d-------- C:\Program Files\Innovatools

2007-08-13 11:12 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2007-08-13 11:12 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files

2007-08-06 10:27 <DIR> d-------- C:\Program Files\Ace Utilities

2007-08-03 10:19 <DIR> d-------- C:\DOCUME~1\Scott\.housecall6.6

2007-08-03 08:36 <DIR> d-------- C:\VundoFix Backups

2007-08-02 14:43 4,980,736 --a------ C:\DOCUME~1\Scott\ntuser.dat

2007-08-02 14:43 1,126,400 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat

2007-08-02 14:43 1,126,400 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat

2007-08-02 14:41 <DIR> d-------- C:\WINDOWS\pss

2007-08-02 14:40 <DIR> d-------- C:\Program Files\IObit

2007-08-02 12:05 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys

2007-08-02 12:05 <DIR> d-------- C:\Program Files\Trend Micro

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 12:06 --------- d--h----- C:\Program Files\WindowsUpdate

2007-08-14 11:18 --------- d-------- C:\Program Files\QuickTime

2007-08-13 17:53 --------- d-------- C:\Program Files\Yahoo!

2007-08-13 14:17 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-08-06 10:43 --------- d-------- C:\Program Files\AIM

2007-08-06 10:25 --------- d-------- C:\Program Files\Online Services

2007-08-03 13:18 --------- d-------- C:\Program Files\MSN Gaming Zone

2007-08-02 19:53 --------- d-------- C:\DOCUME~1\Scott\APPLIC~1\Xfire

2007-08-02 14:06 --------- d-------- C:\Program Files\WHENUS~1

2007-08-02 14:05 --------- d-------- C:\Program Files\WebHost

2007-08-02 14:05 --------- d-------- C:\Program Files\Cmstpage

2007-08-02 14:05 --------- d-------- C:\DOCUME~1\Scott\APPLIC~1\Lycos

2007-05-31 01:25 249795 --a------ C:\WINDOWS\b129.exe.bin

2004-08-05 19:03 25456 --a--c--- C:\Program Files\adupdmanager.xml

2004-08-03 01:41 209376 --a--c--- C:\DOCUME~1\Scott\APPLIC~1\tvmknwrd.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2006-12-14 22:01]

"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2006-12-14 22:01]

"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2006-12-14 22:01]

"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2006-12-14 22:01]

"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2006-12-14 22:01]

"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2006-12-14 22:01]

"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-12-14 22:01]

"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2006-12-14 22:01]

"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2006-12-14 22:01]

"VideoraConverter"="C:\Program Files\VideoraConverter\VideoraConverter.exe" [2006-12-14 22:01]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-12-14 22:01]

"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2006-12-14 22:01]

"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2006-12-14 22:01]

"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2006-12-14 22:01]

"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2002-12-11 16:08]

"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 17:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sonic RecordNow!"="" []

"HijackThis startup scan"="C:\Documents and Settings\Scott\Desktop\Spyware Removal\HijackThis.exe" [2005-02-16 12:06]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\

DESKTOP.INI [2002-09-03 15:36:04]

Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-08-02 12:05:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DESKTOP.INI [2002-09-03 15:36:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= C:\Program Files\Internet Explorer\zyxo.html

FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Source= C:\Program Files\Outlook Express\zyxo.html

FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

Source= C:\Program Files\WindowsUpdate\zyxo.html

FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

C:\Program Files\AIM\aim.exe -cnetwait.odl

S3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\System32\DRIVERS\el90xnd5.sys

S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

Contents of the 'Scheduled Tasks' folder

2007-08-15 16:10:00 C:\WINDOWS\Tasks\ (TUGGLE-Katie).job

2007-08-14 20:29:00 C:\WINDOWS\Tasks\ (TUGGLE-Scottie).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

2004-01-23 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

2007-08-04 00:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TUGGLE-Kristin).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-15 12:09:54

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Rpcmaud]

"ImagePath"="\??\C:\WINDOWS\System32\drivers\wstoside.sys"

Completion time: 2007-08-15 12:14:12 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-15 12:13

--- E O F ---

0

Tinahakina, rclick ur desktop in a clear space [not on an icon etc], properties, desktop, customise desktop, web; select and delete those pages there....

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.