stupid homesearchassistant...

superlitosuperlito
edited January 2006 in Spyware & Virus Removal
okay i got infected with this thing many months ago but i was so scared by the guide becuz im such a computer nub that i didnt do anything for such a long time. now when i try to run spybot or disk cleanup it takes forever becuz i think it has replicated itself so many times its literally filling up my harddrive. i have a 120 gigabyte hard drive and i cant account for about 40 gigs. anyway here are my hjt log and also my activeprocesses script thing becuz for some reason i can only find one of the services mentioned in the homesearch assistant removal guide. i think its becuz i had dled spybot and adaware versions that partially removed my infection. oh well plz help me i dont know what to do.

Comments

  • superlitosuperlito
    edited January 2006
    im sorry i shouldve copied the text in here plz forgive me im such an idiot

    Logfile of HijackThis v1.99.1
    Scan saved at 4:07:46 AM, on 1/20/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\??sks\spool32.exe
    C:\Program Files\saoa\empn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\crui32.exe
    C:\Program Files\Steam\Steam.exe
    C:\WINDOWS\system32\atlzw32.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\Wryv.exe
    C:\WINDOWS\System32\Gbi1r6.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nolit.dll/sp.html#37049%
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.48.218.178:80
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {3E948DE2-4EA9-DB4D-D6CA-C5AB6D316BD5} - C:\WINDOWS\winuy.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Class - {FD350929-ABF9-B29E-4912-9CF55B4CB92A} - C:\WINDOWS\system32\winwz.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [5K57NT@5PYSLS7] C:\WINDOWS\System32\Gzn442nI.exe
    O4 - HKLM\..\Run: [apikn.exe] C:\WINDOWS\system32\apikn.exe
    O4 - HKLM\..\Run: [atlzw32.exe] C:\WINDOWS\system32\atlzw32.exe
    O4 - HKCU\..\Run: [Gfbxc] C:\WINDOWS\System32\??sks\spool32.exe
    O4 - HKCU\..\Run: [Oeac] "C:\Program Files\saoa\empn.exe" -vt rbnd
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097842334656
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite/fvliteY.cab
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crui32.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    These are the Current Active Services:

    Ati HotKey Poller: Ati HotKey Poller
    C:\WINDOWS\System32\Ati2evxx.exe

    Windows Audio: AudioSrv
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Computer Browser: Browser
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Cryptographic Services: CryptSvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    DHCP Client: Dhcp
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Error Reporting Service: ERSvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    COM+ Event System: EventSystem
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Fast User Switching Compatibility: FastUserSwitchingCompatibility
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Help and Support: helpsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Server: lanmanserver
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Workstation: lanmanworkstation
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Network Connections: Netman
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Network Location Awareness (NLA): Nla
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Task Scheduler: Schedule
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Secondary Logon: seclogon
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    System Event Notification: SENS
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    Shell Hardware Detection: ShellHWDetection
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Terminal Services: TermService
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Themes: Themes
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Distributed Link Tracking Client: TrkWks
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    Upload Manager: uploadmgr
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Windows Time: W32Time
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Windows Management Instrumentation: winmgmt
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    Automatic Updates: wuauserv
    C:\WINDOWS\system32\svchost.exe -k netsvcs

    Wireless Zero Configuration: WZCSVC
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    DNS Client: Dnscache
    C:\WINDOWS\System32\svchost.exe -k NetworkService

    Event Log: Eventlog
    C:\WINDOWS\system32\services.exe

    Plug and Play: PlugPlay
    C:\WINDOWS\system32\services.exe

    InCD File System Service: InCDsrv
    C:\Program Files\Ahead\InCD\InCDsrv.exe

    iPodService: iPodService
    C:\Program Files\iPod\bin\iPodService.exe

    TCP/IP NetBIOS Helper: LmHosts
    C:\WINDOWS\System32\svchost.exe -k LocalService

    SSDP Discovery Service: SSDPSRV
    C:\WINDOWS\System32\svchost.exe -k LocalService

    WebClient: WebClient
    C:\WINDOWS\System32\svchost.exe -k LocalService

    IPSEC Services: PolicyAgent
    C:\WINDOWS\System32\lsass.exe

    Protected Storage: ProtectedStorage
    C:\WINDOWS\system32\lsass.exe

    Security Accounts Manager: SamSs
    C:\WINDOWS\system32\lsass.exe

    Remote Procedure Call (RPC): RpcSs
    C:\WINDOWS\system32\svchost -k rpcss

    SoundMAX Agent Service: SoundMAX Agent Service (default)
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    Print Spooler: Spooler
    C:\WINDOWS\system32\spoolsv.exe

    Windows User Mode Driver Framework: UMWdf
    C:\WINDOWS\System32\wdfmgr.exe

    WMI Performance Adapter: WmiApSrv
    C:\WINDOWS\System32\wbem\wmiapsrv.exe

    Network Security Service: 11Fßä#·ºÄÖ`I
    C:\WINDOWS\system32\crui32.exe /s
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited January 2006
    Download CWShredder 2.19 from here.

    Download\'SpSeHjfix\' to the desktop and then
    right click a blank part of the desktop and select new folder, call it spfix
    unzip the file into that folder.

    Disconnect from the net and Close ALL OPEN PROGRAMS.
    Run 'SpSeHjfix'. and click on "Start Disinfection".
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder.

    If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

    Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

    Reboot.

    ==

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    ===============

    Download AboutBuster 6.0:

    http://www.besttechie.net/tools/AboutBuster.zip
    http://www.malwarebytes.org/AboutBuster.zip

    Once downloaded, unzip it, and put the folder on your desktop.

    Reboot into safe mode following the instructions here.

    Start AboutBuster and click Begin Removal.

    Click yes to close down any Internet Explorer windows.

    When the scan is done, click Ok.

    You can then exit the program.

    Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

    Save the logfile from the scan.
    Restart your computer in normal mode.

    Download CCleaner and install, then run it.
    1. Uncheck "Cookies" under "Internet Explorer".
    2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
    3. Close when finished.

    Post a fresh HJT log and the log that was created by 'SpSeHjfix' as well as the log from the Ewido scan.

    ==

    When you save the hijackthis scan to notepad, please go to the format button at the top of notepad and place a tick next to Word Wrap. The formatting above makes it difficult to read the log.
Sign In or Register to comment.