"Home Search" and bunch of adware programs

If you have run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, follow the guidelines below.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

BJ,

This should only be done after removal of all malware. We have seen many cases of bad upgrades to SP2 while malware was present. So what we typically prefer to do is fix the current problems and then do upgrades (even other patches and SPs). There are a few rare instances where a patch may be installed first before fixing other problems.

 

Yes, post another log! Make sure it is from normal boot mode.

 

You don't have a complete HSA hijacked (part of it shows but not all). Bu you now have other problems that you did not have earlier!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\DOCUME~1\RAY\LOCALS~1\Temp\2.tmp
After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [javabt32.exe] C:\WINDOWS\system32\javabt32.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

After clicking Fix, exit HJT.
Those O15 lines may keep coming back. If so, another approach will be used to fix them.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\RAY\Local Settings\Temp <-- delete all files and subfolders in this temp folder (some may not be deletable - note which ones)
C:\WINDOWS\system32\javabt32.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now check your HJT log. Those O15 lines should be gone.

Any other problems?

 

Your clean now! One of your biggest problems is the fact that your OS is severly out of date. You need your Windows updates and some other stuff too. Do the steps here:

How to Protect yourself from malware!

 

You still have not done what I gave you in message # 20. Please do so or you will be here every day try to solve a new problem.

 

It also looks to me like you antivirus application is not running. It does not show in your processes list even though I see one line for it in the O4 section and another in the O23 section. You may need to reinstall AV Personal.

Who is telling you that you need to get rid of spyware first? Is it Microsoft Update?
Were you trying to do the WinXP SP2 upgrade or the other individual patches?

The point of message #20 was that you were suppose to do those steps at that time while you were clean. That could have potentially prevented this reinfection.

You have signs of an HSA hijacker in your log. Was that log from normal boot mode or safe mode?

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Print or save the below instuctions locally because you must have all browsers closed and disconnect from the internet while doing the below.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial). For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and if found kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\javavu.exe
C:\WINDOWS\mfcdy.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {D408CA02-757E-8C7E-C5C1-63DA44B1D61A} - C:\WINDOWS\system32\sdkep32.dll
O4 - HKLM\..\Run: [javavu.exe] C:\WINDOWS\system32\javavu.exe
O4 - HKLM\..\RunOnce: [mfcdy.exe] C:\WINDOWS\mfcdy.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntfd32.exe (file missing)

After clicking Fix, exit HJT.

Run About:Buster from the READ ME tutorial and before running the scan make sure you update to the current database! Then make sure no browsers are running and perform a scan with About:Buster. And say yes to doing the second scan.

Immediately after About:Buster completes, boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\sdkep32.dll
C:\WINDOWS\system32\javavu.exe
C:\WINDOWS\mfcdy.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please get the new HijackThis 1.99.1 and make sure you boot in normal mode and get a new log and post it.

No you don't have all the others! You are not even close to having them. There are many that you do not have.

If your next log is clean, you must go to MS and get updated immediately. This will be a huge update. SP2 is around 270 Mb. And you have many more updates required. I hope you are not on dial-up.

 

OKAY! It's been awhile.

So it still looks like you need to get your Windows Updates. Have you tried to do that again? Do not select the Express install method that will try to put XP SP2 on your system. Try using Custom Install and get all the other updates.