Home Search...very irritating to get rid of

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Dobbs734, Jul 22, 2004.

  1. Dobbs734

    Dobbs734 Private E-2

    Ok, sorry about posting in that last forum, i didn't think of my own thread...

    anyways, like i said before, I have Win XP, and i tried using HSRemove, Spybot, Ad-aware, About:Buster and HijackThis all in safe mode, with system restore turned off, and stopping and disabling the Network Secutiry Services. I also wrote down the path for the NSS, which is "C:\WINDOWS\ipff32.exe". Under these conditions, i get the recovery screen of HSRemove, but when i restart it, it always comes back. Im new to this style of forum, so any help would be appreciated, and if im doing anything wrong in this kind of posting please inform me. Thanks!
     
    Dobbs734, Jul 22, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you done a search for AppInit_DLLs in your registry to see what is shown there? Do a search in this forum and you will see references to AppInit_DLLs in many places. If you find AppInit_DLLs, we need the Value info as stated in the other threads.

    Then post your HijackThis log.
     
    chaslang, Jul 22, 2004
    #2
  3. Dobbs734

    Dobbs734 Private E-2

    Arite, i did what u said about the Applnit_DLL's but i found none, or there were no value's set. Well heres my HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 7:29:11 PM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\ipff32.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\apiqr.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0AF23546-627B-E7D6-AEB6-CBB4FC91EBE4} - C:\WINDOWS\system32\ntth32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [apiqr.exe] C:\WINDOWS\apiqr.exe
    O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
    O4 - HKLM\..\RunOnce: [winxo32.exe] C:\WINDOWS\system32\winxo32.exe
    O4 - HKLM\..\RunOnce: [winbn.exe] C:\WINDOWS\winbn.exe
    O4 - HKLM\..\RunOnce: [d3ci32.exe] C:\WINDOWS\system32\d3ci32.exe
    O4 - HKLM\..\RunOnce: [addgk32.exe] C:\WINDOWS\addgk32.exe
    O4 - HKLM\..\RunOnce: [sysmv.exe] C:\WINDOWS\system32\sysmv.exe
    O4 - HKLM\..\RunOnce: [mfcfr32.exe] C:\WINDOWS\mfcfr32.exe
    O4 - HKLM\..\RunOnce: [apisg.exe] C:\WINDOWS\apisg.exe
    O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
    O4 - HKLM\..\RunOnce: [d3tl.exe] C:\WINDOWS\d3tl.exe
    O4 - HKLM\..\RunOnce: [addvk32.exe] C:\WINDOWS\system32\addvk32.exe
    O4 - HKLM\..\RunOnce: [mfcxl32.exe] C:\WINDOWS\system32\mfcxl32.exe
    O4 - HKLM\..\RunOnce: [atljq.exe] C:\WINDOWS\atljq.exe
    O4 - HKLM\..\RunOnce: [d3yp32.exe] C:\WINDOWS\d3yp32.exe
    O4 - HKLM\..\RunOnce: [mskx32.exe] C:\WINDOWS\system32\mskx32.exe
    O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\atlbd32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.microsoit.com/direct.php?url=
    O13 - WWW Prefix: http://www.microsoit.com/direct.php?url=
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\whwsdgtv.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Thanks again!
     
    Dobbs734, Jul 23, 2004
    #3
  4. beanier

    beanier Specialist

    Just in case you havent, read the 4th sticky thread about hijack this by major attitude... he recommends closing all your stuff so the log is shorter and easier to read... cause that log is long! :]
     
    Last edited by a moderator: Jul 23, 2004
    beanier, Jul 23, 2004
    #4
  5. NeoNemesis

    NeoNemesis Moutharrhea

    that is good that you told him to read that message from MT but the processes are the problem and that is not why it is so long. The problem is that they have a lot of junk on there. Please make sure you are providing an adequate answer.

    :: the problem im seeing is that you have alot of redirections in your IE:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
     
    NeoNemesis, Jul 23, 2004
    #5
  6. ANHEDONIC

    ANHEDONIC Will Title For Food

    Dobbs... do not save Hijack This to a temporary folder (or your desktop for that matter)... save it to your hard drive.... so uninstall it and reinstall it to the proper place... i say this because it makes backups of what you fix, and if it's saved to a temporary folder you are going to lose all of those backups
     
    ANHEDONIC, Jul 23, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure about that? AppInit_DLLs is part of every NT, 2K, and XP system. It is a built-in registry key. It may be that the value for AppInit_DLLs is blank but there should be a registry key. So what is it that you were saying? Were you saying you found it and it was blank?
     
    chaslang, Jul 23, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Dobbs,

    Please do the following:

    Go to Start --> Run and type Regedit then click Ok.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    Tell me if you find any of those.

    Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    and highlight Root in the Left Pane. In the right pane, look for these entries:

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    Tell me if you find any of those.
     
    chaslang, Jul 23, 2004
    #8
  9. Dobbs734

    Dobbs734 Private E-2

    Ok, Chaslang, i checked my registry and did not find:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    I check then for the other three:

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    and did not find them. So i found none of the things u wanted...
     
    Dobbs734, Jul 23, 2004
    #9
  10. Dobbs734

    Dobbs734 Private E-2

    oh yea, and i the value is empty for my Applnit_DLL, like what u said
     
    Dobbs734, Jul 23, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I want you to use Registrar Lite below not the Windows built-in regedit. This is necessary because regedit does not alway seem to show everything:

    1) go here and download Registrar Lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value.

    But even if AppInit_DLLs is still blank, do the following:
    I'm goint to say Reglite rather than Registrar Lite from now on.
    1) Run Reglite again and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    in the left pane, rename the folder Windows to NotWindows. This folder
    should be hilited as a light blue (some people call it light purple).
    2) Exit Reglite
    3) Make sure you have Ad-aware installed and updated
    4) Learn how to do a fullscan with Ad-aware: http://www.lavahelp.com/howto/fullscan/index.html
    5) Make sure you have installed the VX2 Cleaner plugin for Ad-aware
    http://www.majorgeeks.com/download4283.html
    Read the instructions on that link on how to install and use.
    Do not use it yet.
    6) Learn how to boot in safe mode for your OS:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    7) Print or save these instructions locally because you have to disconnect
    from the internet physically now.
    8) Boot in safe mode (without network support)
    9) Run About:Buster and save the log to ABlog1.txt
    10) Run About:Buster and save the log to ABlog2.txt
    11) Run Ad-aware full scan
    12) Run VX2 cleaner plugin
    13) Reboot normal mode
    14) Create a new HijackThis log
    15) Connect to internet and post your two About:Buster logs and the new HijackThis log. DO NOT ATTEMPT ANY CLEANUPS OF ANYTHING UNTIL I TELL YOU WHAT TO DO NEXT. IN FACT DO NOT REBOOT OR SHUTDOWN YOUR PC EITHER.
     
    Last edited: Jul 23, 2004
    chaslang, Jul 23, 2004
    #11
  12. Dobbs734

    Dobbs734 Private E-2

    arite did exactly what u told me to do...

    Here are my About:Buster log files:

    -- Scan 1 --------
    About:Buster Version 1.31
    Removed! : C:\WINDOWS\addgk32.exe
    Removed! : C:\WINDOWS\aiikuu.dat
    Removed! : C:\WINDOWS\apiqr.exe
    Removed! : C:\WINDOWS\atljq.exe
    Removed! : C:\WINDOWS\d3ha32.exe
    Removed! : C:\WINDOWS\d3yp32.exe
    Removed! : C:\WINDOWS\ehhhhm.dat
    Removed! : C:\WINDOWS\gmktwk.dat
    Removed! : C:\WINDOWS\gunbqj.dat
    Removed! : C:\WINDOWS\hncfpv.dat
    Removed! : C:\WINDOWS\ijbuv.dat
    Removed! : C:\WINDOWS\irwal.dat
    Removed! : C:\WINDOWS\jnagbt.dat
    Removed! : C:\WINDOWS\kwkcqg.dat
    Removed! : C:\WINDOWS\lausji.dat
    Removed! : C:\WINDOWS\mfcfr32.exe
    Removed! : C:\WINDOWS\nnyqua.dat
    Removed! : C:\WINDOWS\ogley.dat
    Removed! : C:\WINDOWS\psfjpj.dat
    Removed! : C:\WINDOWS\uqtjat.dat
    Removed! : C:\WINDOWS\uuzavx.dat
    Removed! : C:\WINDOWS\winbn.exe
    Removed! : C:\WINDOWS\xmgliq.dat
    Removed! : C:\WINDOWS\yjwfzd.dat
    Removed! : C:\WINDOWS\zfkphz.dat
    Removed! : C:\WINDOWS\zmdwdb.dat
    Removed! : C:\WINDOWS\System32\atljr.exe
    Removed! : C:\WINDOWS\System32\d3ci32.exe
    Removed! : C:\WINDOWS\System32\mfcxl32.exe
    Removed! : C:\WINDOWS\System32\sysmv.exe
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    My second scan with About:Buster:

    -- Scan 1 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    Now my HijackThis log file after the Ad-Aware and the Vx2 plug-in:

    Logfile of HijackThis v1.98.0
    Scan saved at 1:05:15 AM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\ipff32.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://klounada.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klounada.com/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0AF23546-627B-E7D6-AEB6-CBB4FC91EBE4} - C:\WINDOWS\system32\ntth32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
    O4 - HKLM\..\RunOnce: [winxo32.exe] C:\WINDOWS\system32\winxo32.exe
    O4 - HKLM\..\RunOnce: [apisg.exe] C:\WINDOWS\apisg.exe
    O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
    O4 - HKLM\..\RunOnce: [d3tl.exe] C:\WINDOWS\d3tl.exe
    O4 - HKLM\..\RunOnce: [addvk32.exe] C:\WINDOWS\system32\addvk32.exe
    O4 - HKLM\..\RunOnce: [mskx32.exe] C:\WINDOWS\system32\mskx32.exe
    O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\atlbd32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\whwsdgtv.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab

    its pretty late, so ill leave my computer on over nite, but ill look for your response tomorrow. Thanks again.
     
    Dobbs734, Jul 24, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is still stuff in there!

    Did you rename the registry key to NotWindows as I asked?

    C:\WINDOWS\ipff32.exe <---- Kill this process with Task Manager

    Then have HijackThis fix the items below:
    O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
    O4 - HKLM\..\RunOnce: [winxo32.exe] C:\WINDOWS\system32\winxo32.exe
    O4 - HKLM\..\RunOnce: [apisg.exe] C:\WINDOWS\apisg.exe
    O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
    O4 - HKLM\..\RunOnce: [d3tl.exe] C:\WINDOWS\d3tl.exe
    O4 - HKLM\..\RunOnce: [addvk32.exe] C:\WINDOWS\system32\addvk32.exe
    O4 - HKLM\..\RunOnce: [mskx32.exe] C:\WINDOWS\system32\mskx32.exe
    O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\atlbd32.exe

    Then repeat the previous process but in between steps 10 & 11 also run HSremove and include a log from it.
     
    chaslang, Jul 24, 2004
    #13
  14. Dobbs734

    Dobbs734 Private E-2

    ok yes i changed the registry key to "NotWindows"

    I killed the C:\WINDOWS\ipff32.exe with task manager

    and deleted the following with HijackThis:

    O4 - HKLM\..\RunOnce: [ipff32.exe] C:\WINDOWS\ipff32.exe
    O4 - HKLM\..\RunOnce: [winxo32.exe] C:\WINDOWS\system32\winxo32.exe
    O4 - HKLM\..\RunOnce: [apisg.exe] C:\WINDOWS\apisg.exe
    O4 - HKLM\..\RunOnce: [sdknv.exe] C:\WINDOWS\sdknv.exe
    O4 - HKLM\..\RunOnce: [d3tl.exe] C:\WINDOWS\d3tl.exe
    O4 - HKLM\..\RunOnce: [addvk32.exe] C:\WINDOWS\system32\addvk32.exe
    O4 - HKLM\..\RunOnce: [mskx32.exe] C:\WINDOWS\system32\mskx32.exe
    O4 - HKLM\..\RunOnce: [atlbd32.exe] C:\WINDOWS\atlbd32.exe

    Now here are my logs from About:Buster, HijackThis and HSRemove:

    About:Buster Scan 1
    -- Scan 1 --------
    About:Buster Version 1.31
    Removed! : C:\WINDOWS\apidl32.exe
    Removed! : C:\WINDOWS\ijbuv.dat
    Removed! : C:\WINDOWS\irwal.dat
    Removed! : C:\WINDOWS\mfcuf.exe.bak
    Removed! : C:\WINDOWS\ogley.dat
    Removed! : C:\WINDOWS\System32\crwh.exe
    Removed! : C:\WINDOWS\System32\jupog.dll
    Removed! : C:\WINDOWS\System32\mfcwo32.exe
    Attempted Clean Of Temp folder.
    Removed Uninstall Key (HSA)
    Removed Uninstall Key (SE)
    Removed Uninstall Key (SW)
    Pages Reset... Done!

    About:Buster Scan 2
    -- Scan 2 --------
    About:Buster Version 1.31
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    HSRemove log: NO Removed files

    HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 8:15:11 PM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\WINDOWS\ipff32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 17 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\netxn32.exe
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 18 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jupog.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jupog.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jupog.dll/index.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0AF23546-627B-E7D6-AEB6-CBB4FC91EBE4} - C:\WINDOWS\system32\ntth32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\whwsdgtv.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab

    I disconnected physically from the internet when going to safe mode and did exactly as you instructed...please inform me on the next step. Thanks!
     
    Dobbs734, Jul 24, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! This HSA problem is going to be a bear to remove. Typical of the ones we have been seeing lately. I think we need to get rid of the other problems you have first. They are not making it any easier.

    First:
    Unless you really need the Wild Tangent stuff for online games (or whatever), I would go to Add/Remove programs and uninstall all the Wild Tangent stuff (there could be 3 or 4 items).

    Second:
    We need to clean up the WinTools stuff. Also check Add/Remove programs for any of the following "Wintools", "Wintools Easy Installer", or "Wintools for Internet Explorer". Chances are they will not be there but it is worth the try. If that does not work then bring up Task Manager (CTRL-ALT-DEL) and look for any of these to be running wtoolsa.exe, wtoolsb.exe, wtoolss.exe, wsup.exe, and wtoolsb.dll

    Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u wtoolsb.dll

    then click OK. If a dialog box confirming this action appears, click OK.

    Third: let's fix the HijackThis lines
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://klounada.com/index.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [mysoft] C:\windows\system32\winexplor.exe
    O4 - Global Startup: winlgn.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\whwsdgtv.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/de...aploader_v5.cab
    O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab


    Fourth: Cleanup stage
    Make sure you can view hidden & system files: http://forums.majorgeeks.com/showthread.php?t=37650
    Boot into Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    Now lets delete some file & directories to finish cleaning up the stuff we fixed above:
    C:\Program Files\Common Files\WinTools <--- delete the whole directory
    C:\windows\system32\winexplor.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
    C:\Program Files\Internet Explorer\whwsdgtv.exe

    Reboot normal mode and post a new HijackThis log as a text attachment. There are new rules about posting HijackThis logs. Read this:
    http://forums.majorgeeks.com/showthread.php?t=35407
     
    Last edited: Jul 24, 2004
    chaslang, Jul 24, 2004
    #15
  16. Dobbs734

    Dobbs734 Private E-2

    Ok the WinTools stuff is gone, also the Wild Tangent is gone too. I deleted the files you told me to delete and they don't appear any more in the same place. I fixed the entries in HijackThis but they keep coming back. I read the new post on posting things from HijackThis, and i cant upload the log files! I dont know why but it keeps saying its an invalid file type, even though it supports txt. files, the HijackThis files are saved as .log files. So im gonna post my HijackThis log anyways, if you have a solution of why i cant put an attachment up, ill be glad to re-post with an attachment.

    Logfile of HijackThis v1.98.0
    Scan saved at 2:07:56 PM, on 7/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 20 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab

    Thanks again.
     
    Dobbs734, Jul 25, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Dobbs,

    I'm not sure why you are have a problem with attachments. I'll check it out and see what I find.

    Okay, you said "I fixed the entries in HijackThis but they keep coming back." Which entries came back? It looks like everything I told you to fix is gone. That does not mean I don't see a problem. I do see a file from the HSA problem. And that is this line:
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe

    Don't try to simply just fix it with HijackThis that will not work. If you are still having a problem with HomeSearchAssistent (HSA) you need to let me see it before making changes in the log. You can try booting to safe mode and running about:Buster. Run it twice and then run HSremove. Save their logs and post back here.

    Do you have Talisman Shell Switcher installed? The reason I ask is this line:
    O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

    Many places refer to it as a Trojan. Others do not. If you did not install Talisman, we may need to fix this. See this link on Talisman: http://www.lighttek.com/talisman_faq.htm
    and let me know if you installed this.
     
    Last edited: Jul 25, 2004
    chaslang, Jul 25, 2004
    #17
  18. Dobbs734

    Dobbs734 Private E-2

    Arite, what i am trying say when "I fixed the entries in HijackThis but they keep coming back.", i mean when i restart in safe mode, run HijackThis, HSRemove, or any program like that, it deletes the indicated files that were said to be bad. Now, when i restart the machine (in normal mode), all the files i basically deleted are back. Now, every time i post a log of something thats always before i restart it back to normal mode.

    In regards to the Talisman, i never downloaded or installed the program. Also, in interest, i ran a virus scan and found some trojans, but no harm was detected. These trojans may be the answer, but if u can find something about this, then that would be great. Thanks!
     
    Dobbs734, Jul 26, 2004
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are going to have to post a HijackThis log (after booting in normal mode) that shows the problem with HSA. Make sure to post you log as a text attachment (new guidelines here: http://forums.majorgeeks.com/showthread.php?t=35407)

    Important note: you are running HijackThis from a temp directory:
    C:\Documents and Settings\Mike.YOUR-KYBTG65GXE\Local Settings\Temp\Temporary Directory 16 for hijackthis.zip\HijackThis.exe
    These directories are prone to cleanups and you could loose all the backups that HijackThis creates by leaving it in a temp directory. You should put HijackThis in its own directory and it should not be a temp directory. Some people make a C:\Program Files\HijackThis directory. I have a C:\Spyware-Tools directory where I have HijackThis, CWShredder and a load more stuff that are quick run items that do not have installation packages.


    If you did not install Talisman, look for an uninstall in Add/Remove programs and uninstall it.
    If you cannot find one then use Task Manager to see if the tss.exe process is running. If so, end it.
    And then run HijackThis and have it fix the line below:
    O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe

    Normally I would now say to delete the C:\WINDOWS\System32\tss.exe file too (and it may have to be done in safe mode). But this time, lets make sure it is nor needed for anything else on your system first. So go to C:\WINDOWS\System32 and just rename the tss.exe file to tss.bad. That way it will still be there if needed.
     
    chaslang, Jul 26, 2004
    #19
  20. Dobbs734

    Dobbs734 Private E-2

    ok i relocated my HijackThis folder to Program Files, so its not a Temp anymore. Now, about uploading my log file on this post, i cannot. It still says that the HijackThis log file is invalid and it wont upload. Im sorry once again that i cannot use an attachment like you asked, but because HijackThis logs are saved as ".log" i don't think you would be able to post them because the only valid types are: bmp, doc, gif, jpe, jpeg, jpg, pdf, png, psd, txt, and zip. So im gonna post my log on this again. Sorry for the inconvienence.

    Now another weird thing was that the Talisman program was not in my Add/Remove Programs list. So as you said i looked under Task Manager, but did not find it there either. So, i then looked for it manually in C:\WINDOWS\System32 and tried to find the tss.exe, but couldn't find it. However, during this last log(posted below), i was able to delete two "O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe" lines with HijackThis. So, im not sure if this is strange to you, but i really don't know what the hell is going on now...but ill keep following anything you have for me. Thanks!

    HijackThis Log
    Logfile of HijackThis v1.98.0
    Scan saved at 4:41:10 PM, on 7/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
    Dobbs734, Jul 26, 2004
    #20
  21. Dobbs734

    Dobbs734 Private E-2

    Just to make things clear, heres the log with all the bad stuff (ipff32, netxn32, ect.) that we been trying to fix on a HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 5:16:58 PM, on 7/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\WINDOWS\system32\netxn32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\ipff32.exe
    C:\Program Files\WindowsUpdate\wuaudnld.tmp\cabs\com_microsoft.Q832894_IE6_SP1\q832894.exe
    C:\DOCUME~1\MIKE~1.YOU\LOCALS~1\Temp\IXP000.TMP\IEUPDATE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gixfy.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gixfy.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gixfy.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {292FBB36-CE40-4601-B54E-CE5E87623DCE} - C:\WINDOWS\system32\mswy32.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\MIKE~1.YOU\LOCALS~1\Temp\IXP000.TMP\"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtn_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    Now the last post, was a HijackThis log that was cleaned up after fixing the stuff we know are bad...unless you see some other bad stuff.
     
    Dobbs734, Jul 26, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    For the upload problem with HJT logs just change the file extension from .log to .txt and it will upload just fine.

    Just to be clear. You are renaming the file and only changing the 3 character extension.
     
    chaslang, Jul 26, 2004
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, I'm looking at your HJT log now. Please do not try to fix anything and do not reboot or shutdown. I'm working out a procedure for you right now. Wait for me to post this (long) step by step procedure. It is geared just for you. Hang on for a little while.
     
    chaslang, Jul 26, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before starting the steps below, I want you to make sure you have Ad-aware and SpyBot S&D installed. Double check for updates. Ad-aware updates frequently and you must be current to make sure fixes work. Also, make sure you know how to configure Ad-aware for a fullscan. Read this.

    Make sure you have current version of both HSremove and about:buster.

    Before starting make sure you download and install CCleaner from here:
    http://www.majorgeeks.com/download4191.html

    Don't run CCleaner yet.

    Okay, below are the steps we are going to use. Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so.

    1) Make sure you have enabled viewing of Hidden Files and Folders with Windows Explorer. To see how to do that, see this.

    2) Make sure you know how to boot in safe mode too (but don't do it yet!). Read this.

    3) Disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog modem, drop your connection!)

    4) Bring up Task Manager (using CTRL-ALT-DEL) select Processes and End this processes if you find them:
    netxn32.exe
    ipff32.exe

    5) Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\system32\gixfy.dll" (without the quotes) and click OK.

    Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file C:\WINDOWS\system32\gixfy.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

    6) You may have already tried this step before but do it anyway just to double check.
    Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for Network Security Service. If you find that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of the information in the "Path to executable" box. You are going to use this later.

    If you do not find this service running, just continue with the next steps.

    7) Shutdown (not minimize) all applications (especially IE and Windows explorer) and using HijackThis, fix the BHO (Browser Helper Object) line added by the hijacker and loading of EXE's at startup:

    O2 - BHO: (no name) - {292FBB36-CE40-4601-B54E-CE5E87623DCE} - C:\WINDOWS\system32\mswy32.dll
    O4 - HKLM\..\Run: [netxn32.exe] C:\WINDOWS\system32\netxn32.exe


    8) Now reboot in safe mode (via method given in step 2) and then delete all the DLL and EXE file names found in steps 7.

    C:\WINDOWS\system32\netxn32.exe
    C:\WINDOWS\ipff32.exe

    And also if you found the Network Security Service runnning in step 6, delete the file indicated in the Path to executable! Be careful here the Path to the executable always contains a trailing /s. The /s is not part of the filename. For example, the Path to executable could be C:\windows\system32\javajt32.exe /s but the filename (with path) is C:\windows\system32\javajt32.exe

    9) This step is for WinXP only. Now also look in c:\windows\Prefetch for all of the above files deleted in steps 7 and 8. If found, delete them too.

    10) Empty your Recyle bin

    11) Now while still in safe mode, run only Hijaak This and have it fix all the R0 and R1 lines that have the typical symptom information.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gixfy.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gixfy.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixfy.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gixfy.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    12) Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    13.0) Run CCleaner and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.
    13A) Search the registry for every instance of gixfy.dll and delete them.
    13B) Search the registry for every instance of the suspicious exe files found by Hijack This from step 7. Delete every instance.
    13C) Search your computer for gixfy.dll. Delete each instance.
    13D) Search your computer for the suspicious exe files. (any file names the same as what we have been fixing above but they could be ending in .DAT, .DLL, or .EXE). Delete each instance.
    13E) If found, delete Memory.dmp in C:\windows or in C:\windows\System32
    13F) Run HSRemover save log to HSlog1.txt
    13G) Run about:Buster save log to ABlog1.txt
    13H) Run about:Buster again save log to ABlog2.txt

    13I) Also while still in Safe Mode to finish the cleanup process, please do the following:
    Go to Start --> Run and type Regedit then click Ok.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:
    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    13J) Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    and highlight Root in the Left Pane. In the right pane, look for these entries:
    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    If you have trouble deleting a key from steps 13I or 13J. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

    14) Now (still in safe mode) run Ad-aware fullscan and then SpyBot S&D and clean what they find.

    15) Now click Start, Run, and in the Open box enter "regedit" (without the quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Click the [+] next to uninstall. Scroll down until you see the NAMES of
    programs (skip past the lines with numbers in {,} ). See if you can find
    any of the following listed:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
    assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    If you find any of them, select one at a time, and hit your delete key.
    Once you delete all three, you can exit the registry editor.

    As an alternate approach save the following 4 lines to a file called
    hsafix.reg, then using windows explorer double click on the hsafix.reg file
    a merge the fix into the registry.
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    16) Now reboot normal mode (do not connect to internet yet)
    17) Reboot Before running anything else run HijaakThis and save a log.
    18) Reconnect your internet connection and connect here to MG's and post all of the HSremove, about:Buster, and HijackThis logs.

    Please post all of the on one text attachment. Then continue running and let's see how everything is working.

    You need to try a few reboots and performed some typical surfing in order to verify if the fix really works.

    Final note: If you have a system with multiple user accounts on it, you may need to
    perform this procedure for each account inorder to fully rid your system of this problem. Check a HijaakThis log in each user account!
     
    Last edited: Jul 26, 2004
    chaslang, Jul 26, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I have a couple of edits to put into the procedure if you have not started yet. I'll be done in a couple seconds.
     
    chaslang, Jul 26, 2004
    #25
  26. Dobbs734

    Dobbs734 Private E-2

    So far, i've done the updates for all of the anti-spyware programs. With Step 2, i cannot view the link you gave me. It always comes up with a "HTTP 404 Not Found". If this link is important, then ill wait to do anything, otherwise just tell me what it is and ill continue with the process.Thanks!
     
    Dobbs734, Jul 26, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hang on I'll check it. Also I just made changes to the procedure so make sure to refresh and print it after reading thru and before starting.
     
    chaslang, Jul 26, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay click refresh and try that link now.


    Make sure you download CCleaner added to the beginning area.
     
    chaslang, Jul 26, 2004
    #28
  29. Dobbs734

    Dobbs734 Private E-2

    yea, i've been using the F8 method for restarting in safe mode. Should i keep doing that, or should i try the msconfig method?
     
    Dobbs734, Jul 26, 2004
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Either way is fine. The msconfig method is just more reliable. Some people have trouble using the F8 method.

    Did you get CCleaner?
     
    chaslang, Jul 26, 2004
    #30
  31. Dobbs734

    Dobbs734 Private E-2

    yep, just got it from u guys, anything else before i begin?
     
    Dobbs734, Jul 26, 2004
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! I just did one more update to make it easier on you. I changed step 13.0 to indicate exactly what to do with CCleaner.

    Do you see it?

    Other than that, if you understand everything, GO FOR IT.
    MAKE SURE TO BE PHYSICALLY DISCONNECTED FROM INTERNET. I cannot stress that point enough.
     
    chaslang, Jul 26, 2004
    #32
  33. Dobbs734

    Dobbs734 Private E-2

    Alright thanks, ill give this a shot. If anything comes up ill notify you immedietly. Thanks again.
     
    Dobbs734, Jul 26, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It still looks like you are connected. I hope you are not doing these steps while connected. As I said that could be one of the most important steps in removing this.
     
    chaslang, Jul 26, 2004
    #34
  35. Dobbs734

    Dobbs734 Private E-2

    hey chaslang! Its all fixed now! No more homepage set to the irritating Home Search anymore! I know you made me that tutorial to fix it, but i tried some of the those methods (about halfway through) and it didnt work. So i just dropped it. The weird part was that i just did a full system scan with norton anti-virus one day and it showed all the trojans that made that Home Search on my computer. Any other day, it would have showed no viruses or anything when doing a system scan, but for some reason it got all of the trojans. So i just wanna thank u again for ur time and WISE instructions that helped me along the way! :) peace
     
    Dobbs734, Aug 17, 2004
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Happy to hear it all worked out but you should have told me you were having problems half way thru so we could work thru them. Also, if there is a problem understanding some aspect of the steps it is good to know that so I can modify them so that everyone can understand.
     
    chaslang, Aug 17, 2004
    #36

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds