home search assistant

Unknown
edited August 2004 in Spyware & Virus Removal
Logfile of HijackThis v1.98.0
Scan saved at 23:25:23, on 29/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\appfb.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\msmf32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Documents and Settings\thomascaptain\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jouxe.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jouxe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jouxe.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jouxe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jouxe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jouxe.dll/index.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: (no name) - {D4CB88C2-2EFB-4DF2-F24B-680ACBE69CF4} - C:\WINDOWS\system32\ipyc.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [atlxv32.exe] C:\WINDOWS\system32\atlxv32.exe
O4 - HKLM\..\RunOnce: [netwq32.exe] C:\WINDOWS\netwq32.exe
O4 - HKLM\..\RunOnce: [apihu.exe] C:\WINDOWS\apihu.exe
O4 - HKLM\..\RunOnce: [iedf.exe] C:\WINDOWS\system32\iedf.exe
O4 - HKLM\..\RunOnce: [mfcen32.exe] C:\WINDOWS\mfcen32.exe
O4 - HKLM\..\RunOnce: [atlsy.exe] C:\WINDOWS\atlsy.exe
O4 - HKLM\..\RunOnce: [ieyy.exe] C:\WINDOWS\ieyy.exe
O4 - HKLM\..\RunOnce: [atliy32.exe] C:\WINDOWS\system32\atliy32.exe
O4 - HKLM\..\RunOnce: [apiuv32.exe] C:\WINDOWS\system32\apiuv32.exe
O4 - HKLM\..\RunOnce: [netur.exe] C:\WINDOWS\system32\netur.exe
O4 - HKLM\..\RunOnce: [d3qw.exe] C:\WINDOWS\d3qw.exe
O4 - HKLM\..\RunOnce: [appfb.exe] C:\WINDOWS\appfb.exe
O4 - HKLM\..\RunOnce: [javahf.exe] C:\WINDOWS\javahf.exe
O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\sysya.exe
O4 - HKLM\..\RunOnce: [mfccc.exe] C:\WINDOWS\mfccc.exe
O4 - HKLM\..\RunOnce: [iehw32.exe] C:\WINDOWS\system32\iehw32.exe
O4 - HKLM\..\RunOnce: [d3ir.exe] C:\WINDOWS\d3ir.exe
O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\mfcbb.exe
O4 - HKLM\..\RunOnce: [javati32.exe] C:\WINDOWS\system32\javati32.exe
O4 - HKLM\..\RunOnce: [ipab32.exe] C:\WINDOWS\ipab32.exe
O4 - HKLM\..\RunOnce: [addkp.exe] C:\WINDOWS\system32\addkp.exe
O4 - HKLM\..\RunOnce: [apijw.exe] C:\WINDOWS\system32\apijw.exe
O4 - HKLM\..\RunOnce: [iefl32.exe] C:\WINDOWS\iefl32.exe
O4 - HKLM\..\RunOnce: [apitw32.exe] C:\WINDOWS\system32\apitw32.exe
O4 - HKLM\..\RunOnce: [atltt32.exe] C:\WINDOWS\system32\atltt32.exe
O4 - HKLM\..\RunOnce: [appsp.exe] C:\WINDOWS\system32\appsp.exe
O4 - HKLM\..\RunOnce: [sdkfj.exe] C:\WINDOWS\system32\sdkfj.exe
O4 - HKLM\..\RunOnce: [sysuc32.exe] C:\WINDOWS\sysuc32.exe
O4 - HKLM\..\RunOnce: [mfccp32.exe] C:\WINDOWS\mfccp32.exe
O4 - HKLM\..\RunOnce: [d3hi32.exe] C:\WINDOWS\system32\d3hi32.exe
O4 - HKLM\..\RunOnce: [addic32.exe] C:\WINDOWS\addic32.exe
O4 - HKLM\..\RunOnce: [sdkbc.exe] C:\WINDOWS\sdkbc.exe
O4 - HKLM\..\RunOnce: [apiuj.exe] C:\WINDOWS\system32\apiuj.exe
O4 - HKLM\..\RunOnce: [iphv.exe] C:\WINDOWS\system32\iphv.exe
O4 - HKLM\..\RunOnce: [winuz.exe] C:\WINDOWS\winuz.exe
O4 - HKLM\..\RunOnce: [addto32.exe] C:\WINDOWS\addto32.exe
O4 - HKLM\..\RunOnce: [javary32.exe] C:\WINDOWS\javary32.exe
O4 - HKLM\..\RunOnce: [appil.exe] C:\WINDOWS\system32\appil.exe
O4 - HKLM\..\RunOnce: [ntrk32.exe] C:\WINDOWS\system32\ntrk32.exe
O4 - HKLM\..\RunOnce: [javaqi.exe] C:\WINDOWS\javaqi.exe
O4 - HKLM\..\RunOnce: [appvn.exe] C:\WINDOWS\system32\appvn.exe
O4 - HKLM\..\RunOnce: [sysig.exe] C:\WINDOWS\system32\sysig.exe
O4 - HKLM\..\RunOnce: [netyg32.exe] C:\WINDOWS\netyg32.exe
O4 - HKLM\..\RunOnce: [winap.exe] C:\WINDOWS\system32\winap.exe
O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
O4 - HKLM\..\RunOnce: [apppv32.exe] C:\WINDOWS\system32\apppv32.exe
O4 - HKLM\..\RunOnce: [winni.exe] C:\WINDOWS\winni.exe
O4 - HKLM\..\RunOnce: [ntsb32.exe] C:\WINDOWS\system32\ntsb32.exe
O4 - HKLM\..\RunOnce: [apipx32.exe] C:\WINDOWS\system32\apipx32.exe
O4 - HKLM\..\RunOnce: [mskz32.exe] C:\WINDOWS\mskz32.exe
O4 - HKLM\..\RunOnce: [d3qk.exe] C:\WINDOWS\system32\d3qk.exe
O4 - HKLM\..\RunOnce: [ieyo32.exe] C:\WINDOWS\ieyo32.exe
O4 - HKLM\..\RunOnce: [javahl32.exe] C:\WINDOWS\javahl32.exe
O4 - HKLM\..\RunOnce: [ntvh32.exe] C:\WINDOWS\system32\ntvh32.exe
O4 - HKLM\..\RunOnce: [atlyz.exe] C:\WINDOWS\atlyz.exe
O4 - HKLM\..\RunOnce: [winlf.exe] C:\WINDOWS\winlf.exe
O4 - HKLM\..\RunOnce: [ieph.exe] C:\WINDOWS\ieph.exe
O4 - HKLM\..\RunOnce: [mfcum.exe] C:\WINDOWS\mfcum.exe
O4 - HKCU\..\Run: [Anders Kjersem: PopKiller] "C:\Program Files\Anders Kjersem\PopKiller\PopKiller.exe" /tray
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BCA0DA7-2536-4F55-A845-EA4B6381628A}: NameServer = 194.72.9.34 194.74.65.69

This one has got me baffled.
I would forever in your debt if you could sort this out please.
I have tried adaware and spybot, still to no avail.
Thanks very much,
Captain Tom.

Comments

  • vanagon40vanagon40 Indiana Member
    edited July 2004
    WOW! (Looks like you and Ms 72701 have been drinking from the same cup)

    Welcome to Short Media

    First things first.

    put HJT into its own folder (e.g.: C:\HJT). HJT makes a backup when fixing files that is easier to locate (and less likely to get lost) when stored in a separate folder.

    Next, download LSP-Fix (download here => http://www.short-media.com/download.php?dc=69). Put that in the same folder as HJT for simplicity.

    Disable System Restore (Start Menu -> Control Panels -> System -> System Restore. Turn off System Restore for all drives. Apply and OK.

    Next, run AdAware and Spybot S&D. You can get the downloads here => http://www.short-media.com/download.php?dc=69 Make sure you update both before running. (Also, is your anti-virus up-to-date? If not, run a free virus scan here => http://www.pandasoftware.com/activescan or here => http://housecall.trendmicro.com)

    Reboot in SAFE MODE (tap F8 key at boot until you get the boot options menu. Choose SAFE MODE with no options.)

    Run HJT. Scan. Fix the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jouxe.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jouxe.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jouxe.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jouxe.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jouxe.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jouxe.dll/index.html#37049

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {D4CB88C2-2EFB-4DF2-F24B-680ACBE69CF4} - C:\WINDOWS\system32\ipyc.dll

    O4 - HKLM\..\Run: [msmf32.exe] C:\WINDOWS\system32\msmf32.exe

    O4 - HKLM\..\RunOnce: [atlxv32.exe] C:\WINDOWS\system32\atlxv32.exe
    O4 - HKLM\..\RunOnce: [netwq32.exe] C:\WINDOWS\netwq32.exe
    O4 - HKLM\..\RunOnce: [apihu.exe] C:\WINDOWS\apihu.exe
    O4 - HKLM\..\RunOnce: [iedf.exe] C:\WINDOWS\system32\iedf.exe
    O4 - HKLM\..\RunOnce: [mfcen32.exe] C:\WINDOWS\mfcen32.exe
    O4 - HKLM\..\RunOnce: [atlsy.exe] C:\WINDOWS\atlsy.exe
    O4 - HKLM\..\RunOnce: [ieyy.exe] C:\WINDOWS\ieyy.exe
    O4 - HKLM\..\RunOnce: [atliy32.exe] C:\WINDOWS\system32\atliy32.exe
    O4 - HKLM\..\RunOnce: [apiuv32.exe] C:\WINDOWS\system32\apiuv32.exe
    O4 - HKLM\..\RunOnce: [netur.exe] C:\WINDOWS\system32\netur.exe
    O4 - HKLM\..\RunOnce: [d3qw.exe] C:\WINDOWS\d3qw.exe
    O4 - HKLM\..\RunOnce: [appfb.exe] C:\WINDOWS\appfb.exe
    O4 - HKLM\..\RunOnce: [javahf.exe] C:\WINDOWS\javahf.exe
    O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\sysya.exe
    O4 - HKLM\..\RunOnce: [mfccc.exe] C:\WINDOWS\mfccc.exe
    O4 - HKLM\..\RunOnce: [iehw32.exe] C:\WINDOWS\system32\iehw32.exe
    O4 - HKLM\..\RunOnce: [d3ir.exe] C:\WINDOWS\d3ir.exe
    O4 - HKLM\..\RunOnce: [mfcbb.exe] C:\WINDOWS\mfcbb.exe
    O4 - HKLM\..\RunOnce: [javati32.exe] C:\WINDOWS\system32\javati32.exe
    O4 - HKLM\..\RunOnce: [ipab32.exe] C:\WINDOWS\ipab32.exe
    O4 - HKLM\..\RunOnce: [addkp.exe] C:\WINDOWS\system32\addkp.exe
    O4 - HKLM\..\RunOnce: [apijw.exe] C:\WINDOWS\system32\apijw.exe
    O4 - HKLM\..\RunOnce: [iefl32.exe] C:\WINDOWS\iefl32.exe
    O4 - HKLM\..\RunOnce: [apitw32.exe] C:\WINDOWS\system32\apitw32.exe
    O4 - HKLM\..\RunOnce: [atltt32.exe] C:\WINDOWS\system32\atltt32.exe
    O4 - HKLM\..\RunOnce: [appsp.exe] C:\WINDOWS\system32\appsp.exe
    O4 - HKLM\..\RunOnce: [sdkfj.exe] C:\WINDOWS\system32\sdkfj.exe
    O4 - HKLM\..\RunOnce: [sysuc32.exe] C:\WINDOWS\sysuc32.exe
    O4 - HKLM\..\RunOnce: [mfccp32.exe] C:\WINDOWS\mfccp32.exe
    O4 - HKLM\..\RunOnce: [d3hi32.exe] C:\WINDOWS\system32\d3hi32.exe
    O4 - HKLM\..\RunOnce: [addic32.exe] C:\WINDOWS\addic32.exe
    O4 - HKLM\..\RunOnce: [sdkbc.exe] C:\WINDOWS\sdkbc.exe
    O4 - HKLM\..\RunOnce: [apiuj.exe] C:\WINDOWS\system32\apiuj.exe
    O4 - HKLM\..\RunOnce: [iphv.exe] C:\WINDOWS\system32\iphv.exe
    O4 - HKLM\..\RunOnce: [winuz.exe] C:\WINDOWS\winuz.exe
    O4 - HKLM\..\RunOnce: [addto32.exe] C:\WINDOWS\addto32.exe
    O4 - HKLM\..\RunOnce: [javary32.exe] C:\WINDOWS\javary32.exe
    O4 - HKLM\..\RunOnce: [appil.exe] C:\WINDOWS\system32\appil.exe
    O4 - HKLM\..\RunOnce: [ntrk32.exe] C:\WINDOWS\system32\ntrk32.exe
    O4 - HKLM\..\RunOnce: [javaqi.exe] C:\WINDOWS\javaqi.exe
    O4 - HKLM\..\RunOnce: [appvn.exe] C:\WINDOWS\system32\appvn.exe
    O4 - HKLM\..\RunOnce: [sysig.exe] C:\WINDOWS\system32\sysig.exe
    O4 - HKLM\..\RunOnce: [netyg32.exe] C:\WINDOWS\netyg32.exe
    O4 - HKLM\..\RunOnce: [winap.exe] C:\WINDOWS\system32\winap.exe
    O4 - HKLM\..\RunOnce: [appab32.exe] C:\WINDOWS\appab32.exe
    O4 - HKLM\..\RunOnce: [apppv32.exe] C:\WINDOWS\system32\apppv32.exe
    O4 - HKLM\..\RunOnce: [winni.exe] C:\WINDOWS\winni.exe
    O4 - HKLM\..\RunOnce: [ntsb32.exe] C:\WINDOWS\system32\ntsb32.exe
    O4 - HKLM\..\RunOnce: [apipx32.exe] C:\WINDOWS\system32\apipx32.exe
    O4 - HKLM\..\RunOnce: [mskz32.exe] C:\WINDOWS\mskz32.exe
    O4 - HKLM\..\RunOnce: [d3qk.exe] C:\WINDOWS\system32\d3qk.exe
    O4 - HKLM\..\RunOnce: [ieyo32.exe] C:\WINDOWS\ieyo32.exe
    O4 - HKLM\..\RunOnce: [javahl32.exe] C:\WINDOWS\javahl32.exe
    O4 - HKLM\..\RunOnce: [ntvh32.exe] C:\WINDOWS\system32\ntvh32.exe
    O4 - HKLM\..\RunOnce: [atlyz.exe] C:\WINDOWS\atlyz.exe
    O4 - HKLM\..\RunOnce: [winlf.exe] C:\WINDOWS\winlf.exe
    O4 - HKLM\..\RunOnce: [ieph.exe] C:\WINDOWS\ieph.exe
    O4 - HKLM\..\RunOnce: [mfcum.exe] C:\WINDOWS\mfcum.exe

    You can also Fix any new "O4 - HKLM\..\RunOnce:" entries with random names as above that have been created since you posted this log.

    After fixing those entries, exit HJT. Stay in SAFE MODE, and manually locate
    every single one of those .exe files and .dll files.

    Move these to a new folder called :C:\Quarantine. Rename the .dll's to .ddd, and the .exe's to .xxx. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them. (If you want to be really safe, you could google each and every exe, but they all look bad to me, and the ones I did google did not show up as legitimate programs.)

    Next, run LSP-Fix, and fix any problems it finds.

    Reboot, and check things out. Scan with HJT and post a fresh log to let us know how it worked.

    Finally, you are several updates behind on your IE browser. Download and install the updates from microsoft (under "tools" on the top toolbar). The patches and updates fix known vulnerabilities that are exploited by malware.
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Update for new readers:

    Please follow our Home Search Assistant Removal Guide first, then come back to this thread and let us know if it worked or not for you.

    Dexter...
This discussion has been closed.