PDA

View Full Version : Home Search & Shopping Wizard Help Please

jomidi
7 Jul 2005, 2:10am
Ran Ad-Aware and Spybot but problem still exists. Would appreciate any advice. Thank You.
By the way...Great Forum!
User Name: jomidi

Logfile of HijackThis v1.99.1
Scan saved at 8:54:53 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MSREMO~1\NetCfgSv.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\mssi.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jomidi\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe
C:\WINDOWS\system32\msmr32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32

\fdjej.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\fdjej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\tdphk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32

\fdjej.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {83241F15-A38D-4603-9874-0E32E3A2D544} - C:\WINDOWS\ntrl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program

Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -

osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5

\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared

Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe

c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mssi.exe] C:\WINDOWS\mssi.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [sdkwc.exe] C:\WINDOWS\system32\sdkwc.exe
O4 - HKLM\..\RunOnce: [apibc32.exe] C:\WINDOWS\system32\apibc32.exe
O4 - HKLM\..\RunOnce: [javaxk32.exe] C:\WINDOWS\system32\javaxk32.exe
O4 - HKLM\..\RunOnce: [netkq32.exe] C:\WINDOWS\system32\netkq32.exe
O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\d3vc.exe
O4 - HKLM\..\RunOnce: [addxn32.exe] C:\WINDOWS\addxn32.exe
O4 - HKLM\..\RunOnce: [crah.exe] C:\WINDOWS\system32\crah.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\apihg32.exe
O4 - HKLM\..\RunOnce: [appzk.exe] C:\WINDOWS\system32\appzk.exe
O4 - HKLM\..\RunOnce: [sdkhl.exe] C:\WINDOWS\sdkhl.exe
O4 - HKLM\..\RunOnce: [iplh32.exe] C:\WINDOWS\iplh32.exe
O4 - HKLM\..\RunOnce: [apihq32.exe] C:\WINDOWS\system32\apihq32.exe
O4 - HKLM\..\RunOnce: [ieyi32.exe] C:\WINDOWS\system32\ieyi32.exe
O4 - HKLM\..\RunOnce: [winip32.exe] C:\WINDOWS\system32\winip32.exe
O4 - HKLM\..\RunOnce: [sysud.exe] C:\WINDOWS\sysud.exe
O4 - HKLM\..\RunOnce: [d3uk32.exe] C:\WINDOWS\system32\d3uk32.exe
O4 - HKLM\..\RunOnce: [msmr32.exe] C:\WINDOWS\system32\msmr32.exe
O4 - HKLM\..\RunOnce: [ntrl.exe] C:\WINDOWS\ntrl.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3

\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {126D9184-71E9-42D0-9DE5-DEA8508E6ABF} - C:\Program

Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?

s=consumerfav&c=1c02&lc=0409
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online Enterprise Edition) -

https://portal.morganstanley.com/llclient/portalna/winxp/AXXPEE.dll,DanaInfo=hqinvpn3,SSL,CT

=java+
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) -

http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -

http://entimg.msn.com/client/msnmusax3028.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) -

http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E00243EB-5B0B-4092-B2B9-8B3F239E5713}: Domain =

ms.com
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program

Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard -

C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook

Utilities\HPWirelessMgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network

Associates\McShield\Mcshield.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\MSREMO~1

\NetCfgSv.EXE
Buckeye_Sam
8 Jul 2005, 2:34pm
You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.

Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.


Step 1
Download CWShredder (http://cwshredder.net/bin/CWSInstall.exe) but don't run it yet.


Step 2
Download AboutBuster (http://www.majorgeeks.com/download4289.html)
Unzip it to your desktop but don't run it yet.


Step 3
Download Ad-aware SE 1.06 (http://www.majorgeeks.com/download506.html)
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Step 5
Make sure that you can VIEW ALL HIDDEN FILES. (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3)


Step 6
Reboot your computer into SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)


Step 7
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\tdphk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\fdjej.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {83241F15-A38D-4603-9874-0E32E3A2D544} - C:\WINDOWS\ntrl.dll
O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll
O4 - HKLM\..\Run: [mssi.exe] C:\WINDOWS\mssi.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [sdkwc.exe] C:\WINDOWS\system32\sdkwc.exe
O4 - HKLM\..\RunOnce: [apibc32.exe] C:\WINDOWS\system32\apibc32.exe
O4 - HKLM\..\RunOnce: [javaxk32.exe] C:\WINDOWS\system32\javaxk32.exe
O4 - HKLM\..\RunOnce: [netkq32.exe] C:\WINDOWS\system32\netkq32.exe
O4 - HKLM\..\RunOnce: [d3vc.exe] C:\WINDOWS\d3vc.exe
O4 - HKLM\..\RunOnce: [addxn32.exe] C:\WINDOWS\addxn32.exe
O4 - HKLM\..\RunOnce: [crah.exe] C:\WINDOWS\system32\crah.exe
O4 - HKLM\..\RunOnce: [apihg32.exe] C:\WINDOWS\apihg32.exe
O4 - HKLM\..\RunOnce: [appzk.exe] C:\WINDOWS\system32\appzk.exe
O4 - HKLM\..\RunOnce: [sdkhl.exe] C:\WINDOWS\sdkhl.exe
O4 - HKLM\..\RunOnce: [iplh32.exe] C:\WINDOWS\iplh32.exe
O4 - HKLM\..\RunOnce: [apihq32.exe] C:\WINDOWS\system32\apihq32.exe
O4 - HKLM\..\RunOnce: [ieyi32.exe] C:\WINDOWS\system32\ieyi32.exe
O4 - HKLM\..\RunOnce: [winip32.exe] C:\WINDOWS\system32\winip32.exe
O4 - HKLM\..\RunOnce: [sysud.exe] C:\WINDOWS\sysud.exe
O4 - HKLM\..\RunOnce: [d3uk32.exe] C:\WINDOWS\system32\d3uk32.exe
O4 - HKLM\..\RunOnce: [msmr32.exe] C:\WINDOWS\system32\msmr32.exe
O4 - HKLM\..\RunOnce: [ntrl.exe] C:\WINDOWS\ntrl.exe




Step 8
Now run CWShredder, making sure to click "Fix".


Step 9
Delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\fdjej.dll
C:\WINDOWS\ntrl.dll
C:\WINDOWS\system32\ipsf32.dll
C:\WINDOWS\mssi.exe
C:\WINDOWS\system32\sdkwc.exe
C:\WINDOWS\system32\apibc32.exe
C:\WINDOWS\system32\javaxk32.exe
C:\WINDOWS\system32\netkq32.exe
C:\WINDOWS\d3vc.exe
C:\WINDOWS\addxn32.exe
C:\WINDOWS\system32\crah.exe
C:\WINDOWS\apihg32.exe
C:\WINDOWS\system32\appzk.exe
C:\WINDOWS\sdkhl.exe
C:\WINDOWS\iplh32.exe
C:\WINDOWS\system32\apihq32.exe
C:\WINDOWS\system32\ieyi32.exe
C:\WINDOWS\system32\winip32.exe
C:\WINDOWS\sysud.exe
C:\WINDOWS\system32\d3uk32.exe
C:\WINDOWS\system32\msmr32.exe
C:\WINDOWS\ntrl.exe


Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


Step 11
Run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.