Im i clean now

Discussion in 'Malware Help (A Specialist Will Reply)' started by gazza, Jan 13, 2005.

  1. gazza

    gazza Private E-2

    Hi
    I had home search assistent on my computer,its windows xp home.
    I stopped and disabled remote procedure(rpc) helper.
    Turned off system restore.
    Ran ad-aware se.
    Ran spy-bot.
    Ran hs remove.
    Ran about buster.
    Ran hijackthis.
    Here is the log.

    Is there anything else i can do to stop it getting back on my computer.
    Thanks.
    Gazza.
    p.s do i have to do everything in safe mode?
     

    Attached Files:

    Last edited by a moderator: Jan 13, 2005
    gazza, Jan 13, 2005
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Nope, not clean. This thread mentions installing programs like Spyware Blaster and you need anti-virus and a firewall.
    http://forums.majorgeeks.com/showthread.php?t=35407

    Remove

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\djxkq.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\djxkq.dll/sp.html#10001
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\bbc.co.uk
    O2 - BHO: (no name) - {8650B9FD-D511-3B3C-53C7-3F446E18261C} - C:\WINDOWS\d3wt32.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

    Were working on new tutorials for removing, etc. Let me know how this works out.
     
    Major Attitude, Jan 13, 2005
    #2
  3. gazza

    gazza Private E-2

    I removed all,but windows did not like it wheni took off
    04 - Global Startup:hp psc 1000 series.lnk=?
    04 - Global Startup:hpoddt01.exe.lnk=?
    It went to its webpage and hsa was back in again.
    I have avg anti-virus 7.0.300 running.
    I use windows firewall.
    I have spyware blaster installed.
    Here is the newest hijackthis log.
    Logfile of HijackThis v1.99.0
    Scan saved at 18:02:42, on 13/01/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\appca.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\Opera\opera.exe
    C:\Program Files\hi jack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fzhgw.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fzhgw.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: (no name) - {0F1D7B59-74D4-8EF2-0A9A-D8796491F3F9} - C:\WINDOWS\system32\sdkjn32.dll
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [appca.exe] C:\WINDOWS\system32\appca.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\crgp32.exe (file missing)

    Thanks Gazza
     
    gazza, Jan 13, 2005
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds