Search Extender and Shopping Assistant

Did you run ALL of the steps of the Generic Solution exactly as listed, in the order listed, and were you physically disconnected from the internet when you did them?


Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Not just its own folder. Make sure it is not in any of the ones I specified and all browsers are shutdown. Then run a scan and attach it.

 

Follow directions and try again. You have HJT running from exactly one of the places we said not to run it from. You are running it from the ZIP file.

C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

Okay! I won't be here much longer tonight though! It's now 4:32 AM my time.

 

You must only run one antivirus program. You are running both AVG and Norton. You must uninstall one of them.

And please remember ALL browsers must be shut down before using HJT. You had this running.
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe


EDIT: Okay That appears to be a quick lauch program. Not a browser itself

Is this your home page: http://www.salon.com/

 

Okay one more question, is the below proxy setting something you require.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost

 

It is typcically used (more in companies) as a server that you go thru to get in and out of your internal network. Do you recognize those addresses? Is this a work PC?

 

Okay for now let's skip the proxy line and see where we get. We'll have to finish later. I have to get some sleep. So do the below and get back to me with the results.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINNT\netoa32.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\dnfwd.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\dnfwd.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6CA0D7D0-70AB-C9B7-FD57-3BC938F6A456} - C:\WINNT\system32\netxl32.dll
O4 - HKLM\..\Run: [javads32.exe] C:\WINNT\system32\javads32.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOCUME~1\Brian\LOCALS~1\Temp\B.tmp.exe 0 10001
O4 - HKLM\..\Run: [B.tmp.exe] C:\DOCUME~1\Brian\LOCALS~1\Temp\B.tmp.exe 0 10001
O4 - HKLM\..\Run: [winpj.exe] C:\WINNT\winpj.exe
O4 - HKLM\..\RunOnce: [netoa32.exe] C:\WINNT\netoa32.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\system32\crrm32.exe (file missing)
After clicking FIX, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINNT\netoa32.exe
C:\WINNT\winpj.exe
C:\WINNT\dnfwd.dll
C:\WINNT\system32\netxl32.dll
C:\WINNT\system32\javads32.exe
C:\Documents and Settings\Brian\Local Settings\Temp\B.tmp.exe <--- it may be a good idea to remove all files in this directory.

Reset Web Settings
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://www.salon.com/
Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That log does not appear to be from normal boot mode. HJT logs should always be from normal boot mode unless otherwise specified. If it is from normal boot mode, jus tell me. But then I would wonder why none of your virus application items are running.

 

That's more like it! Log is clean!

Try this:

Save the lines from the quote box below to a file called hsafix.reg, then using windows explorer double click on the hsafix.reg file a merge the fix into the registry.

Tell me what you see in Add/Remove programs now.

 

You're welcome!

What you need is here: How to Protect yourself from malware!

 

I don't understand what you mean about SpySubtract.

No you cannot and probably should not disable IE. You will find that sometimes you may need it. Some sites will not work correctly unless you use IE. Even downloading form Microsoft update can be a problem without it. Just use FireFox and make it your default browser.

 

So what are you asking me?

Did you make FireFox you default browser? If not, you should do that.

If you clicked on anything that would cause a popup and IE is still your default browser, it will come up.

 

Well then I would blame SpySubtract which you have installed for popping up some kind of notification. They probably have defaulted to using IE (poor programming). What was the page showing? Was it a prompt to update or a prompt to buy it. If you did not buy it, uninstall it. The free programs available are better anyway.

 

You're welcome. Happy, safe, surfing!