Home Search Assistant...

Unknown
edited August 2004 in Spyware & Virus Removal
Here is a log from Hijack This....

Logfile of HijackThis v1.98.0
Scan saved at 6:28:06 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ippg.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\crzl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Customer\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {22D6C587-4D57-6C41-8B40-18989B320034} - C:\WINDOWS\system32\crzl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Customer\LOCALS~1\Temp\app3C.tmp
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [crzl.exe] C:\WINDOWS\system32\crzl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunOnce: [ippg.exe] C:\WINDOWS\system32\ippg.exe
O4 - HKLM\..\RunOnce: [msvs32.exe] C:\WINDOWS\system32\msvs32.exe
O4 - HKLM\..\RunOnce: [javaxi32.exe] C:\WINDOWS\javaxi32.exe
O4 - HKLM\..\RunOnce: [d3ce.exe] C:\WINDOWS\d3ce.exe
O4 - HKLM\..\RunOnce: [d3hp.exe] C:\WINDOWS\system32\d3hp.exe
O4 - HKLM\..\RunOnce: [addcn32.exe] C:\WINDOWS\addcn32.exe
O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
O4 - HKLM\..\RunOnce: [crnx32.exe] C:\WINDOWS\system32\crnx32.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
O4 - HKLM\..\RunOnce: [mfcfn.exe] C:\WINDOWS\system32\mfcfn.exe
O4 - HKLM\..\RunOnce: [javaqx.exe] C:\WINDOWS\system32\javaqx.exe
O4 - HKLM\..\RunOnce: [syslc32.exe] C:\WINDOWS\system32\syslc32.exe
O4 - HKLM\..\RunOnce: [sysrt.exe] C:\WINDOWS\sysrt.exe
O4 - HKLM\..\RunOnce: [javawn.exe] C:\WINDOWS\system32\javawn.exe
O4 - HKLM\..\RunOnce: [ntdf.exe] C:\WINDOWS\ntdf.exe
O4 - HKLM\..\RunOnce: [addcz32.exe] C:\WINDOWS\system32\addcz32.exe
O4 - HKLM\..\RunOnce: [apirx32.exe] C:\WINDOWS\apirx32.exe
O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
O4 - HKLM\..\RunOnce: [cryg32.exe] C:\WINDOWS\cryg32.exe
O4 - HKLM\..\RunOnce: [cruz32.exe] C:\WINDOWS\cruz32.exe
O4 - HKLM\..\RunOnce: [neteu32.exe] C:\WINDOWS\system32\neteu32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.cum4me.tv/2/dploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25F64694-8B9E-42C0-85FE-4704F6CF454B}: NameServer = 207.69.188.187 207.69.188.186
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Comments

  • mmonninmmonnin Centreville, VA
    edited July 2004
    First move your HJT file into its own folder IE C:\HJT\HJT.exe or C:\Program Files\HJT\HJT.exe so backups are not in your Temp Directory.
  • vanagon40vanagon40 Indiana Member
    edited July 2004
    WOW!

    Welcome to Short Media

    First things first.

    put HJT into its own folder, eg: C:\HJT. That way the backups of your fixes will have a safe place to hang out.

    Next, download LSP-Fix (download here => http://www.short-media.com/download.php?dc=69). Put that in the same folder as HJT for simplicity.

    Disable System Restore (Start Menu -> Control Panels -> System -> System Restore. Turn off System Restore for all drives. Apply and OK.

    Next, run AdAware and Spybot S&D. You can get the downloads here => http://www.short-media.com/download.php?dc=69 Make sure you update both before running. (Also, is your anti-virus up-to-date? If not, run a free virus scan here => http://www.pandasoftware.com/activescan or here => http://housecall.trendmicro.com)

    Reboot in SAFE MODE (tap F8 key at boot until you get the boot options menu. Choose SAFE MODE with no options.)

    Run HJT. Scan. Fix the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about_:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Customer\LOCALS~1\Temp\app3C.tmp
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [crzl.exe] C:\WINDOWS\system32\crzl.exe

    O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\RunOnce: [ippg.exe] C:\WINDOWS\system32\ippg.exe
    O4 - HKLM\..\RunOnce: [msvs32.exe] C:\WINDOWS\system32\msvs32.exe
    O4 - HKLM\..\RunOnce: [javaxi32.exe] C:\WINDOWS\javaxi32.exe
    O4 - HKLM\..\RunOnce: [d3ce.exe] C:\WINDOWS\d3ce.exe
    O4 - HKLM\..\RunOnce: [d3hp.exe] C:\WINDOWS\system32\d3hp.exe
    O4 - HKLM\..\RunOnce: [addcn32.exe] C:\WINDOWS\addcn32.exe
    O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
    O4 - HKLM\..\RunOnce: [crnx32.exe] C:\WINDOWS\system32\crnx32.exe
    O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
    O4 - HKLM\..\RunOnce: [mfcfn.exe] C:\WINDOWS\system32\mfcfn.exe
    O4 - HKLM\..\RunOnce: [javaqx.exe] C:\WINDOWS\system32\javaqx.exe
    O4 - HKLM\..\RunOnce: [syslc32.exe] C:\WINDOWS\system32\syslc32.exe
    O4 - HKLM\..\RunOnce: [sysrt.exe] C:\WINDOWS\sysrt.exe
    O4 - HKLM\..\RunOnce: [javawn.exe] C:\WINDOWS\system32\javawn.exe
    O4 - HKLM\..\RunOnce: [ntdf.exe] C:\WINDOWS\ntdf.exe
    O4 - HKLM\..\RunOnce: [addcz32.exe] C:\WINDOWS\system32\addcz32.exe
    O4 - HKLM\..\RunOnce: [apirx32.exe] C:\WINDOWS\apirx32.exe
    O4 - HKLM\..\RunOnce: [mfcgo.exe] C:\WINDOWS\mfcgo.exe
    O4 - HKLM\..\RunOnce: [cryg32.exe] C:\WINDOWS\cryg32.exe
    O4 - HKLM\..\RunOnce: [cruz32.exe] C:\WINDOWS\cruz32.exe
    O4 - HKLM\..\RunOnce: [neteu32.exe] C:\WINDOWS\system32\neteu32.exe


    After fixing those entries, exit HJT. Stay in SAFE MODE, and manually locate
    every single one of those .exe files, .dll files and .html files.

    Move these to a new folder called :C:\Quarantine. Rename the .dll's to .ddd, the .exe's to .xxx and the .html's to .hhhh. That way you can always replace them if it somehow turns out that I am completely wrong and these are necessary files....which is not likely, but quarantining is safer than
    deleting them.

    Next, run LSP-Fix, and fix any problems it finds.

    Reboot, and check things out. Scan with HJT and post a fresh log to let us know how it worked.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Note to new readers: If you having problems with Home Search Assistant, please read our Home Search Assistant Removal Guide.

    Dexter...
This discussion has been closed.