Home Search Assistant...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sung715, Jun 27, 2004.

  1. Sung715

    Sung715 Private E-2

    I need help removing home search assistent. Here is the process log from hijack this.
    Plz point out wrong processes... thnx

    Logfile of HijackThis v1.97.7
    Scan saved at 4:41:33 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\msya.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\msac.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jong Eun\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3C40457D-AD33-9573-322C-CB94004FBA80} - C:\WINDOWS\ntge.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.e
     
    Sung715, Jun 27, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Thats a pretty short log files, dont see anything that I recognize, at least that is out of place. I am not sure what ntge.dll is.

    Please read the Hijack This tutorial, it explains how to analyze your log file. From there, let us know if we can help more!
     
    Major Attitude, Jun 27, 2004
    #2
  3. Sung715

    Sung715 Private E-2

    major ,

    will reinstalling windows xp do any good because i only had the computer for 2 days and didnt really install anything but spybot, firewall, winamp and a game... cant believe i got a spyware this annoying... i tried everything from other threads like deleting the HSA SE SA SW but they regenerate quickly... also i tried on safe mode and system restore off, updated spybot and i found that none of the things on those threads to delete was on my log.... i have no other way to solve this.... plz help me... btw heres a new log from hijackthis

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:41 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\msya.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\msac.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jong Eun\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3C40457D-AD33-9573-322C-CB94004FBA80} - C:\WINDOWS\ntge.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msac.exe] C:\WINDOWS\msac.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\RunOnce: [msya.exe] C:\WINDOWS\system32\msya.exe
    O4 - HKLM\..\RunOnce: [iewg32.exe] C:\WINDOWS\iewg32.exe
    O4 - HKLM\..\RunOnce: [mfcwy32.exe] C:\WINDOWS\mfcwy32.exe
    O4 - HKLM\..\RunOnce: [ievr32.exe] C:\WINDOWS\ievr32.exe
    O4 - HKLM\..\RunOnce: [atlnn32.exe] C:\WINDOWS\system32\atlnn32.exe
    O4 - HKLM\..\RunOnce: [ipsp32.exe] C:\WINDOWS\ipsp32.exe
    O4 - HKLM\..\RunOnce: [winud.exe] C:\WINDOWS\winud.exe
    O4 - HKLM\..\RunOnce: [nthp32.exe] C:\WINDOWS\nthp32.exe
    O4 - HKLM\..\RunOnce: [syslw32.exe] C:\WINDOWS\syslw32.exe
    O4 - HKLM\..\RunOnce: [netdx32.exe] C:\WINDOWS\netdx32.exe
    O4 - HKLM\..\RunOnce: [apitp.exe] C:\WINDOWS\system32\apitp.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl486.daum.net/hanmail-ax/HM_fileupload.cab
     
    Sung715, Jun 27, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Don't reinstall yet. I'm working on your log now. Will post as soon as I have Steps to follow completed.
     
    chaslang, Jun 27, 2004
    #4
  5. Sung715

    Sung715 Private E-2

    thnx for the help i will hold off for awhile
     
    Sung715, Jun 27, 2004
    #5
  6. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    He told me he has had the PC for 2 days, dumping *might* be quicker, but get SpywareBlaster next time around.
     
    Major Attitude, Jun 27, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Possibly if it doesn't work on the first try. But Sung will learn more this way. Let's give it a try. Coming soon almost done.

    But wait..... I do not see any R0 & R1 lines from Hijaak This. Are you sure this is the whole log?
     
    chaslang, Jun 27, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sung,

    Let's try a possibly shorter method first. Since your PC is so new maybe this would be a better, quicker solution. Let's try using System Restore to restore your system to a point before the problem began. Take a look at this link it will explain System Restore to you:

    http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx

    Note that doing this does also have the effect of removing anything else you have installed or setup after the System Restore point too. But since you PC is so new that may not be too big an issue.

    If this does not work, I will post a step by step method to try.
     
    chaslang, Jun 28, 2004
    #8
  9. Sung715

    Sung715 Private E-2

    darn... my computer has created one restore point for checkpoint but i guess that was the date my computer got infected with home search assistent...

    plz tell me the step by step method or if reinstalling is faster..... heres a log from hijackthis after system restore....

    Logfile of HijackThis v1.97.7
    Scan saved at 4:48:32 AM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\msya.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\msac.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jong Eun\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {3C40457D-AD33-9573-322C-CB94004FBA80} - C:\WINDOWS\ntge.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msac.exe] C:\WINDOWS\msac.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\RunOnce: [msya.exe] C:\WINDOWS\system32\msya.exe
    O4 - HKLM\..\RunOnce: [iewg32.exe] C:\WINDOWS\iewg32.exe
    O4 - HKLM\..\RunOnce: [mfcwy32.exe] C:\WINDOWS\mfcwy32.exe
    O4 - HKLM\..\RunOnce: [ievr32.exe] C:\WINDOWS\ievr32.exe
    O4 - HKLM\..\RunOnce: [atlnn32.exe] C:\WINDOWS\system32\atlnn32.exe
    O4 - HKLM\..\RunOnce: [ipsp32.exe] C:\WINDOWS\ipsp32.exe
    O4 - HKLM\..\RunOnce: [winud.exe] C:\WINDOWS\winud.exe
    O4 - HKLM\..\RunOnce: [nthp32.exe] C:\WINDOWS\nthp32.exe
    O4 - HKLM\..\RunOnce: [syslw32.exe] C:\WINDOWS\syslw32.exe
    O4 - HKLM\..\RunOnce: [netdx32.exe] C:\WINDOWS\netdx32.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl486.daum.net/hanmail-ax/HM_fileupload.cab
     
    Sung715, Jun 28, 2004
    #9
  10. Sung715

    Sung715 Private E-2

    oh by the way the comp came with restore cds... i dont know if they recover the whole computer or the registry... i wonder if that might help...
     
    Sung715, Jun 28, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see any R0 and R1 lines for the hijacker in your HjaakThis log. Have you been fixing things? If so stop, it will make it mutate and get worse. I do see a load of EXE files that are related. I am going to post a possible solution for you to try but since I do not see any R0 & R1 lines I have to leave out some steps. Not sure if it will work. SKIP STEP 5 where I put in XXXXX.DLL.



    Below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so.
    1) Disable system restore and reboot! Here how to do that: http://www.majorgeeks.com/vb/showthread.php?t=31668
    2) Make sure you have enabled viewing of Hidden Files and Folders with Windows Explorer. To see how to do that, see this: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    3) Make sure you know how to boot in safe mode too (but don't do it yet!):
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    4) Disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog mode, drop your connection!)
    5) SKIP THIS STEP
    Now click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\xxxxx.dll" (without the quotes) and click OK. Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file).
    Now using Windows Explorer, locate the file xxxxx.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

    6) Check to see if a Windows service name "Network Security Service" is running. To do this:
    Click Start, Run, and enter this in the Open box: services.msc Then click OK.
    Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, I need to know the info in the "Path to executable" box.
    If you do not find this service running, just continue with the next steps.
    7) Now shut down all applications (especially IE and Windows explorer) an run HijaakThis. Have it fix only what I give you below:
    O2 - BHO: (no name) - {3C40457D-AD33-9573-322C-CB94004FBA80} - C:\WINDOWS\ntge.dll
    O4 - HKLM\..\RunOnce: [msya.exe] C:\WINDOWS\system32\msya.exe
    O4 - HKLM\..\RunOnce: [iewg32.exe] C:\WINDOWS\iewg32.exe
    O4 - HKLM\..\RunOnce: [mfcwy32.exe] C:\WINDOWS\mfcwy32.exe
    O4 - HKLM\..\RunOnce: [ievr32.exe] C:\WINDOWS\ievr32.exe
    O4 - HKLM\..\RunOnce: [atlnn32.exe] C:\WINDOWS\system32\atlnn32.exe
    O4 - HKLM\..\RunOnce: [ipsp32.exe] C:\WINDOWS\ipsp32.exe
    O4 - HKLM\..\RunOnce: [winud.exe] C:\WINDOWS\winud.exe
    O4 - HKLM\..\RunOnce: [nthp32.exe] C:\WINDOWS\nthp32.exe
    O4 - HKLM\..\RunOnce: [syslw32.exe] C:\WINDOWS\syslw32.exe
    O4 - HKLM\..\RunOnce: [netdx32.exe] C:\WINDOWS\netdx32.exe
    O4 - HKLM\..\RunOnce: [apitp.exe] C:\WINDOWS\system32\apitp.exe

    Now reboot in safe mode (via method given in step 3) and then delete the following if found:
    C:\WINDOWS\ntge.dll
    C:\WINDOWS\system32\msya.exe
    C:\WINDOWS\iewg32.exe
    C:\WINDOWS\mfcwy32.exe
    C:\WINDOWS\ievr32.exe
    C:\WINDOWS\system32\atlnn32.exe
    C:\WINDOWS\ipsp32.exe
    C:\WINDOWS\winud.exe
    C:\WINDOWS\nthp32.exe
    C:\WINDOWS\syslw32.exe
    C:\WINDOWS\netdx32.exe
    C:\WINDOWS\system32\apitp.exe

    And also if you found Network Security Service runnning in step 6, delete the file indicated in the Path to executable!
    Now also look for all of the above files in c:\windows\Prefetch If found, delete them too.

    9) Now while still in safe mode run only Hijaak This and have it fix any R0 & R1 lines that have the pattern of
    res://C:\WINDOWS\xxxxx.dll/sp.html#xxxxx

    10) Right click on your Internet Explorer icon and select Properties. Set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.
    11) Now (still in safe mode) run Ad-aware & SpyBot S&D and clean what they find.
    12) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
    Click the [+] next to uninstall. Scroll down until you see the NAMES of programs, not the numbers in {,}. See if you can find any of the following:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard
    To double check, on the left pane, it will say what they are. Highlight one at a time, and hit your delete key. Once you delete all three, you may exit.
    13) Now reboot normal mode.
    14) Before running anything else run HijaakThis and save a log.
    15) Connect here to MG's and post the new log. Then continue running and let's see how everything is working.
     
    chaslang, Jun 28, 2004
    #11
  12. Sung715

    Sung715 Private E-2

    im right now on a old computer of mine... okay i have stopped and disabled network security service and the path to executable: C\WINDOWS\SYSTEM32\msya.exe /s

    now im starting the hijackthis...
     
    Sung715, Jun 28, 2004
    #12
  13. Sung715

    Sung715 Private E-2

    .... i have done all you told me to do......but hsa, se, sw keeps respawning..

    yes i checked the prefetch,system32, and windows with hiddens files shown

    This is weird... maybe i should just reinstall windows... anyway i have nothing to lose

    should i? btw heres a log

    Logfile of HijackThis v1.97.7
    Scan saved at 1:42:27 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\msya.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\msac.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jong Eun\Desktop\HijackThis.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5DB0652B-0FF6-BED6-70DA-77E742B60E14} - C:\WINDOWS\system32\appot.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [msac.exe] C:\WINDOWS\msac.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\RunOnce: [sdkxg.exe] C:\WINDOWS\sdkxg.exe
    O4 - HKLM\..\RunOnce: [msib.exe] C:\WINDOWS\msib.exe
    O4 - HKLM\..\RunOnce: [atlfh32.exe] C:\WINDOWS\atlfh32.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {97154128-DC4C-4D5B-AF7C-CA7356238EC9} (Hanmail FileUpload Control) - http://wwl486.daum.net/hanmail-ax/HM_fileupload.cab
     
    Sung715, Jun 28, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re-installing is always an option. That's up to you to decide when you have had enough.

    But I think a new version of this hijacker is spreading and I would like to have you do the following:

    1) go here and download Registrar lite and install it:
    http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "Appinit_Dlls" value on the right side panel.
    5) DoubleClick, copy and post what you find in the two fields shown below into your next post:
    -Size:
    -Value:
     
    chaslang, Jun 28, 2004
    #14
  15. Sung715

    Sung715 Private E-2

    weeeeeee !! :) i used the hsremover and it deleted all the wrong in my computer!!! wow its so much better with out that dumb home search thing blocking me from accessing korean and english websites....

    thnx alot for the help and do u still need the value and size because i fixed it...

    Solution to all HSA problems: HSremover found in this website!!
     
    Sung715, Jun 28, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I could have used the value and size before you fixed the problem. Now it may not be of any use.

    You should add a link here to where you got HSremover.
     
    chaslang, Jun 28, 2004
    #16
  17. Sung715

    Sung715 Private E-2

    Sung715, Jun 28, 2004
    #17
  18. sirbenel

    sirbenel Private E-2

    I went to the download page you indicated but there was nothing there to download... it must have been removed.
     
    sirbenel, Jul 2, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Correct! It has been removed. It caused other problems. Like it deleted valid startup items that you need. Plus it did not always work any way. Use this link and the generic procedure there: http://www.majorgeeks.com/vb/showthread.php?t=35917
     
    chaslang, Jul 2, 2004
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds