Home Search Assistent

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by frustr8td, Jul 19, 2004.

  1. frustr8td

    frustr8td Private E-2

    I am experiencing browser/popup issues due to Home Search Assistent/Only the Best...

    I have read many threads here on this topic and have tried everything suggested...HSREMOVE only fixes the problem once...the issue starts all over again once I restart IE. I have tried following instructions on some other threads, but it seems specific to each and every instance of the problem.

    Please help!!! --frustr8td

    Here is my hijackthis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 11:14:42 AM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\crom.exe
    C:\WINDOWS\system32\apiwj32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\cmatessino\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hajcc.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hajcc.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hajcc.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hajcc.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hajcc.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hajcc.dll/index.html#37794
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {09E50A9A-9573-86A5-4ABD-5E38F81CBDB3} - C:\WINDOWS\sdkkl.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [winat32.exe] C:\WINDOWS\system32\winat32.exe
    O4 - HKLM\..\Run: [apiwj32.exe] C:\WINDOWS\system32\apiwj32.exe
    O4 - HKLM\..\RunOnce: [crom.exe] C:\WINDOWS\system32\crom.exe
    O4 - HKLM\..\RunOnce: [appsb.exe] C:\WINDOWS\appsb.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
     
    frustr8td, Jul 19, 2004
    #1
  2. srl

    srl Private E-2

    I have that nasty Home Search Assistant too. I have tried to remove it but I get a message that says I need Windows 2000 or Windows XP. I have Windows ME and I'm not sure what I can do to remove it. I am not very computer literate and I need HEEEEEEEEEELP!
     
    srl, Jul 19, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    frustr8ed,
    Did you also try about buster? Did you follow the instructions on the download page exactly? You should have been in safe mode, system restore disabled, deleted hajcc.dll, reset your home page, etc. It should work if you did. I also sugest another browser like FireFox or Opera.

    srl:
    There are step by step instructions in this forum. Basically, you need the html and dll name, go into safe mode and delete all the dll files and remove the lines from hijack this. I suggest you download Firefox from there and use another browser. Anything else start your own thread please.
     
    Major Attitude, Jul 19, 2004
    #3
  4. frustr8td

    frustr8td Private E-2

    Major,

    Thanks for the tips! just a couple of questions:

    What is 'about buster'?
    Which 'download page'?
    Where can I find 'hajcc.dll'?

    I can't use a different browser, for work purposes I have to use IE.

    any help is greatly appreciated!!!
     
    frustr8td, Jul 19, 2004
    #4
  5. frustr8td

    frustr8td Private E-2

    Major,

    I found About:Buster on the geeks download site. I will post back when I am done running it and everything...

    thanks again!
     
    frustr8td, Jul 19, 2004
    #5
  6. frustr8td

    frustr8td Private E-2

    I followed the about:buster instructions exactly... it only worked once. As soon as I closed IE and brought it back up, the problem had returned and the res://... had a new dll in it.

    None of the spyware removal tools...not hsremove, about:buster, adaware, spybot...
    none of them can fix the problem permanently. I think this will involve manual removal of everything, but in all threads where this is xplained, everyone else's problems don't fit mine exactly, so the instructions are hard to follow...

    please help, someone...
     
    frustr8td, Jul 19, 2004
    #6
  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Cool, now humor me. Why do you HAVE to have IE for work purposes. If your employer insists on it, tell him hes an idiot. If I had a business with a lot of PC's ditching Internet Explorer would be my first move. Other browsers not only do what IE does, but usually much more.
     
    Major Attitude, Jul 19, 2004
    #7
  8. frustr8td

    frustr8td Private E-2

    We use web integrated software that is currently only compatible with IE. Or should I say, IE is the only supported browser with this software.

    I can use another browser for myself, but when I am with customers, I have to use IE.
     
    frustr8td, Jul 19, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post another HijackThis log and do not shutdown or reboot you computer afterwards since this will cause the problem to mutate. It's okay to disconnect from the Internet but no reboots. Also, after getting your HijackThis log also do the steps below and give me answers to my questions:

    1) "Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for exactly "Network Security Service". If you find
    that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. Tell me if you find this service and the Path to executable if found."

    2) go here and download Registrar Lite and install it: http://www.resplendence.com/reglite
    3) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    4) Click the "go" tab
    5) Find: "AppInit_Dlls" value on the right side panel.
    6) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.
     
    chaslang, Jul 19, 2004
    #9
  10. frustr8td

    frustr8td Private E-2

    My most recent log:

    Logfile of HijackThis v1.98.0
    Scan saved at 3:50:58 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\crom.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\crre.exe
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {09E50A9A-9573-86A5-4ABD-5E38F81CBDB3} - C:\WINDOWS\sdkkl.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [winat32.exe] C:\WINDOWS\system32\winat32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [addkd.exe] C:\WINDOWS\system32\addkd.exe
    O4 - HKLM\..\Run: [crre.exe] C:\WINDOWS\crre.exe
    O4 - HKLM\..\RunOnce: [crom.exe] C:\WINDOWS\system32\crom.exe
    O4 - HKLM\..\RunOnce: [appsb.exe] C:\WINDOWS\appsb.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF0A121A-8090-4BE8-9970-285D993554AD}: Domain = dss.state.la.us
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF0A121A-8090-4BE8-9970-285D993554AD}: NameServer = 172.20.11.237,172.20.11.238
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dss.state.la.us
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dss.state.la.us
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


    1.) Network Security Service is disabled and stopped.
    2.) Downloaded and ran Registrar Lite.
    3.) I copied and pasted the registry "\\AppInit_DLLs " disappears from the end of the string and the following are the results: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\(default)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\DeviceNotSelectedTimeout
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\GDIProcessHandleQuota
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Spooler
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\swapdisk
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\TransmissionRetryTimeout
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\USERProcessHandleQuota

    I guess thats about as far as I can go at this point... Just let me know where to go next! thanks!
     
    frustr8td, Jul 19, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run reglite again and click on Search. In the window that comes up, enter AppInit_DLLs into the Text to search for box. Tell me if it finds anything. Also if it does, for each item found tell me the full registry path info and then double click on the item and again give me value info.

    For example here is are example paths I would expect:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
     
    chaslang, Jul 19, 2004
    #11
  12. frustr8td

    frustr8td Private E-2

    Sorry, no luck there. I ran the search several times and it didnt come up with anything.
     
    frustr8td, Jul 19, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But since you had to shut the PC down in order to take it home, you will have to post a new HijackThis log. Do not shut it down after posting. Wait for me. Hmmmm! What time zone are you in? Right now (at time of posting) it is 7:12 pm for me. I'm in EST.
     
    chaslang, Jul 19, 2004
    #13
  14. frustr8td

    frustr8td Private E-2

    My newest Log:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:23:38 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\crom.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Tools\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {09E50A9A-9573-86A5-4ABD-5E38F81CBDB3} - C:\WINDOWS\sdkkl.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [winat32.exe] C:\WINDOWS\system32\winat32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [addkd.exe] C:\WINDOWS\system32\addkd.exe
    O4 - HKLM\..\RunOnce: [crom.exe] C:\WINDOWS\system32\crom.exe
    O4 - HKLM\..\RunOnce: [appsb.exe] C:\WINDOWS\appsb.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll




    Oh and I am in central time zone... an hour behind you...
    so it is growing late where you are... thank you again for your help!
     
    frustr8td, Jul 19, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    Before starting make sure you have the current versions of:
    HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
    HSremove (v2.39 at time of writing): http://www.majorgeeks.com/download4286.html
    a² anti virus: http://www.majorgeeks.com/download4281.html
    (download and install a2 you need to get registration key to use and it will require a reboot before using. Don't reboot yet. We'll do that later when we go into safe mode.)
    Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is updated. At time of writing we are at: 01R333 18.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    Print instructions if necessary or save locally.

    - Make sure you can view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - Check to see if a Windows service name "Network Security Service" is
    running. To do this, click Start, Run, and enter the following in the Open
    box: "services.msc" (without the quotes). Then click OK. Now in the
    Services window that pops up look for Network Security Service. If you find
    that service, you must stop it by right clicking on it then select stop. Now
    disable it by right clicking on it and selecting Properties. Then in the
    General tab see the area that says "Startup type: " click on the pull down
    arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. You are going to use this
    later.

    - Boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    - run HSremove

    - Bring up Task Manager (CTRL-ALT-DEL) and kill these processes if found (keep track of what you find and don't find and tell me):
    winat32.exe
    addkd.exe
    crom.exe
    appsb.exe

    Close Task Manager

    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hpyhf.dll/index.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {09E50A9A-9573-86A5-4ABD-5E38F81CBDB3} - C:\WINDOWS\sdkkl.dll
    O4 - HKLM\..\Run: [winat32.exe] C:\WINDOWS\system32\winat32.exe
    O4 - HKLM\..\Run: [addkd.exe] C:\WINDOWS\system32\addkd.exe
    O4 - HKLM\..\RunOnce: [crom.exe] C:\WINDOWS\system32\crom.exe
    O4 - HKLM\..\RunOnce: [appsb.exe] C:\WINDOWS\appsb.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    - Use Windows Explorer and delete (keep track again of what you find and what can & cannot be delete. Tell me.):
    C:\WINDOWS\system32\hpyhf.dll
    C:\WINDOWS\sdkkl.dll
    C:\WINDOWS\msopt.dll
    C:\WINDOWS\system32\winat32.exe
    C:\WINDOWS\system32\addkd.exe
    C:\WINDOWS\system32\crom.exe
    C:\WINDOWS\appsb.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet
    - Run a² anti virus!
    - Post a new HijackThis log
     
    chaslang, Jul 19, 2004
    #15
  16. jacbike

    jacbike Private E-2

    Okay, hi, i'm really new to this message board so sorry if I'm doing things backwards.

    I'm trying follow these instructions but have a question. Is this where I ask a question?


    EDITED by chaslang: removed long quoted message to avoid confusion of thread
     
    Last edited by a moderator: Jul 20, 2004
    jacbike, Jul 19, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! Start your own thread for your problem that you mentioned in the PM to me.
    If you don't know how to do this, read: http://forums.majorgeeks.com/showthread.php?t=31333
     
    chaslang, Jul 19, 2004
    #17
  18. frustr8td

    frustr8td Private E-2

    I could not find ANY of these in the process list when in safe mode.


    I was able to manually remove:
    -sdkkl.dll(also found sdkkl.exe but did not remove)
    -crom.exe

    Could not find:
    system32\hpyhf.dll
    msopt.dll
    system32\winat32.exe
    system32\addkd.exe
    appsb.exe


    Logfile of HijackThis v1.98.0
    Scan saved at 11:10:31 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\cmatessino\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


    thanks again for all your help! I think this will be my last hit for tonight. I will keep the laptop on until tomorrow morning, so you dont need to worry with it anymore tonight. thanks agian.
     
    frustr8td, Jul 20, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to fix these lines in HijackThis or did they come back:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hpyhf.dll/sp.html#37794
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hpyhf.dll/index.html#37794
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Fix them now. Make sure to shutdown (not minimize, completely exit) Internet Explorer before clicking the Fix button in HijackThis.

    Then scan with HijackThis again and tell me if they are gone.
     
    chaslang, Jul 20, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In fact you could not have completed the steps I gave you or the http://hsremove.com/done.htm line would already be gone. Did you do all the steps?
     
    chaslang, Jul 20, 2004
    #20
  21. frustr8td

    frustr8td Private E-2

    I followed the steps exactly. Let me get back to the steps you just gave me and I will get back to you.
     
    frustr8td, Jul 20, 2004
    #21
  22. frustr8td

    frustr8td Private E-2

    OK, I figured out a couple things. Normal use of this machine is for my work. So about 99% of the time, I log in to a domain. When I boot into safe mode, where I ran all the tools, etc., I have to log into the local machine. When I am logged into the the local machine, the problem now seems to be ok. When I log into the domain...thats where the last hijack log came from. And the log is different for each login location.

    I am currently logged into the local machine and this is my log:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:24:12 AM, on 7/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Metastorm e-Work\Common\EClientMgr.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\cmatessino.BLUESTRE-76GXHE\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bstek.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


    I will log back in to the domain and post that log next.
     
    frustr8td, Jul 20, 2004
    #22
  23. frustr8td

    frustr8td Private E-2


    My Hijack log while logged into my domain:

    Logfile of HijackThis v1.98.0
    Scan saved at 9:26:40 AM, on 7/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\system32\userinit.exe
    C:\Documents and Settings\cmatessino\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Do you think it would be of any benefit to delete the domain user account from this machine and then set it back up again fresh?

    thanks!
     
    frustr8td, Jul 20, 2004
    #23
  24. frustr8td

    frustr8td Private E-2

    Actually, scratch all that. For now, it seems to be ok in my domain login. I have reset and tested the IE homepage four times, and it still works!!! As of now, the res:// has not come back. Does this mean that you fixed it?
     
    frustr8td, Jul 20, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right now it looks good in both HijackThis logs but this line:
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    bothers me. I still feel it is potentially part of the problem. We need to get rid of this file.
    Try the below:

    Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\msopt.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    Then boot into safe mode and rename C:\WINDOWS\msopt.dll to C:\WINDOWS\msopt.bad

    Then reboot normal, run HijackThis again and have it fix that O18 line.

    Tell me if that works or not (or if there are any problems running any of those steps).
     
    chaslang, Jul 20, 2004
    #25
  26. frustr8td

    frustr8td Private E-2

    When I ran this, I got the following error:
    "LoadLibrary("C:\WINDOWS\msopt.dll") failed - the specified Module could not be found."

    I can not find this file ANYWHERE, and I have my folder options set to display ALL files per the instructions you gave me last night.

    I ran HijackThis, fixed that line, and then it shows up immediately the next time it runs. It's like it will not go away!!!

    But I can report that in my Control Panel -> Add/Remove Programs list, Home Search Assistent no longer appears. Good thing, right?

    Thanks!
     
    frustr8td, Jul 20, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, it does sound good. No more hijacks?

    Bring up regedit and search your registry for that msopt.dll file. Let me know where it is in the registry if you find it. Make sure you search all the way thru the registry. There could be multiple occurrences.
     
    chaslang, Jul 20, 2004
    #27
  28. frustr8td

    frustr8td Private E-2

    Regedit found it in two places:
    1.) My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}\InprocServer32
    Type: REG_SZ
    Data: C:\WINDOWS\msopt.dll

    2.) The entry in the Run history where we ran the command:
    Thats all. And I havent had any issues since the last time I posted.

    Thanks man. You're a lifesaver.
     
    frustr8td, Jul 22, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome. And thank you for confirming what I expected on this DLL.

    You need to get back into the registry and navigate back to the point bring up this registry key:
    My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}

    In other words in the left pane of regedit you should have hilited the following:
    4A8DADD4-5A25-4d41-8599-CB7458766220

    (if you expand this key by click on the plus sign you will see the InprocServer32 and maybe other stuff under it) but with that hexidecimal number field hilited select the Registry menu on the top right of the window and then click Export Registry File. In the window that comes up give it a filename like msopt-regkey and save it someplace where you can find it if we need it later. Now with that hexidecimal field still hilited, select the Edit menu button and select Delete. Confirm the delete.

    If this does not work (like it gets denied), tell me and skip the HijackThis log posting.

    If the delete is accepted, run HijackThis and send me a new log.
    I'm looking to get rid of the O18 line.
     
    chaslang, Jul 22, 2004
    #29
  30. frustr8td

    frustr8td Private E-2

    Ok, I deleted the key, it was accepted, and this is my new log file:
    (the 018 line is still there but the msopt.dll is GONE)

    Logfile of HijackThis v1.98.0
    Scan saved at 9:02:41 AM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Atievxx.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Removal Kit\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bstek.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R3 - Default URLSearchHook is missing
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\Software\..\Telephony: DomainName = bstek.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bstek.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bstek.net
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


    What next?
     
    frustr8td, Jul 23, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, let's try to fix the O18 line now in HijackThis.

    And also Reset Web Settings by opening Internet Explorer. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to Reset Web Settings by opening Internet Explorer. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set your home page back to whatever you use to http://www.bstek.net/
    (it looks like that is what you use).

    Other than that, your looking good now!
     
    chaslang, Jul 23, 2004
    #31
  32. frustr8td

    frustr8td Private E-2

    Every time I run HijackThis and try to fix the 018 line it reappears the next time I scan:
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    Any thoughts?
     
    frustr8td, Jul 23, 2004
    #32
  33. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you try it from safe mode? I am unsure what exactly it is.
     
    Major Attitude, Jul 23, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download and install Registrar Lite: http://www.majorgeeks.com/download469.html

    And Click on the Search icon (the magnifier glass).
    Paste into the "Text to search for" box the following:
    4A8DADD4-5A25-4D41-8599-CB7458766220
    and hit your Enter key

    Tell me if you get any matches on the right side of the Window. And Copy and Paste back here what you get.

    EDIT: Also search for this registry key and let me know the results:
    B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D


    What we are planning on doing is deleting both of those registry keys in all places that they are found!
     
    Last edited: Jul 23, 2004
    chaslang, Jul 23, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 23, 2004
    #35
  36. frustr8td

    frustr8td Private E-2

    No hits came back on this one.

    No love on this one either. Though I was not in safe mode at the time, should I be?
     
    frustr8td, Jul 26, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try this:

    Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\mshp.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    If gets a confirmation, try to fix the O18 line again in HijackThis.

    If that does not work try two more things:
    1) run online scan: http://housecall.trendmicro.com/housecall/start_corp.asp
    2) try running all the stuff from the links I gave before. I'll repeat them:
    See: http://de.trendmicro-europe.com/ent...TROJ_WINSHOW.AF
    and: http://www.trendmicro.com/vinfo/vir...SHOW.AF&VSect=T

    Now see if that O18 line is gone.
     
    chaslang, Jul 26, 2004
    #37

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds