Home Search Assitant has captured me ! Please help !

jlr820 · July 2004

Good evening folks,
I am plagued with an invasion by Home Search Assistent ( and maybe some other critters as well ).
My efforts to 'permanently' remove this thing have failed and it is obvious I need more skillful hands to fix this problem.
The most visible aspects of this H-S-A infestation are:
Home page always reverts to Home Search with this in the address box res://yprzm.dll/index.html#28129
Various Popups
Changed search engine

I have run Ad-Aware numerous times with the same result which is a seeming fix ( after resetting home page via tools > internet options ) only to see it returned the next time I launch IE.

I have just run Ad-Aware and immediately followed that with running Hijack This. ( log file follows below )
Any help / guidance / assistance would be most appreciated.

Thanks in advance to anyone that can help me ( isn't that a line from a BoDeans song

)
my hair is graying ... nay .. turning white as I type, my metabolism has plummeted so I'm gaining weight .. and my special bottle of Chinaco Anejo is emptying fast ...
merci, gracias, grazi, danke,thanks !
vyo con dios!
Jim Root

Log from Hijack this
Logfile of HijackThis v1.98.0
Scan saved at 8:37:41 PM, on 7/30/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\d3xg.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\winiv32.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\explorer.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yprzm.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://yprzm.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://yprzm.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\yprzm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\yprzm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://yprzm.dll/index.html#28129
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {69B55B7E-1E92-74DF-C5C2-FE9FEE3C8D54} - C:\WINNT\javalo.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UdkbSGSg] c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winiv32.exe] C:\WINNT\system32\winiv32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\winproc32.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.peryourhealth.com/viewer/activeXViewer/activexviewer.cab
O21 - SSODL: systemie - {387F8A48-8A7A-49B6-ABCB-DBD248424C8F} - sysie.dll (file missing)

shwaip · July 2004

Hi. Try aboutbuster, downloaded from one of the links here. It is supposed to fix the problem, but it doesn't always work. If not, just let us know.

http://www.malwarebytes.biz/forums/index.php?showtopic=4

jlr820 · July 2004

Darn .. thought About Buster did the trick ... but nay was not true ...
Home Search Assistant came back the 2nd time I launched IE

Appreciate the lead ... just didn't pan out ... thank you anyway tho !!!!

A few pieces of adt'l info ( have no idea if it will be helpful to those trying to help me but here goes

1) Ran 4 scans with About Buster and the only thing that was 'deleted' each and every scan was:
Removed LEGACY___NS_Service_3 Key

2) When I launch IE and H-S-A appears as my home page ....what is now in the address is
res://gzodk.dll/index.html#28129

before About Buster it was
res://yprzm.dll/index.html#28129

3. When i unhide folders and go to C:\WNNT|System32 I immediately get a virus alert for
C:\dlltmp.exe\DLLTMP.EXE
and McAfee says the virus name is StartPage-Al.gen BUT
I cannot clean, delete or quarrantine it
same thing for
C:\WINNT\msxmidi.exe\00003460.EXE

4. re-ran Ad-Aware and I continue to get 3 registry key 'objects' ( have gotten them each and every time with the only difference being since I ran About Buster the value for DATA (in the log below) has changed from
yprzm.dll to gzodk.dll

The info looks like this
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://gzodk.dll/index.html#28129"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://gzodk.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://gzodk.dll/index.html#28129"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://gzodk.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://gzodk.dll/index.html#28129"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://gzodk.dll/index.html#28129"

5) re ran Hijack This
The Hijack Log is as follows
Logfile of HijackThis v1.98.0
Scan saved at 10:55:52 PM, on 7/30/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winiv32.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\d3nu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gzodk.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gzodk.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gzodk.dll/index.html#28129
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5097E40F-55B3-8C70-AD1B-44E3B99D798B} - C:\WINNT\ntzg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UdkbSGSg] c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winiv32.exe] C:\WINNT\system32\winiv32.exe
O4 - HKLM\..\RunOnce: [d3nu.exe] C:\WINNT\system32\d3nu.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\winproc32.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.peryourhealth.com/viewer/activeXViewer/activexviewer.cab
O21 - SSODL: systemie - {387F8A48-8A7A-49B6-ABCB-DBD248424C8F} - sysie.dll (file missing)

...... thats all I have to offer and I know its meager stuff ... but hey ... the Chinaco Anejo ( teguila ) is nearly all ...

Jim

jlr820 · July 2004

PS ... somethings just cant be explained ... like the cabbie that woke up in Hoboken .. as Shirley Maclaine

Dexter · July 2004

Try this:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.html

Dexter...

primesuspect · July 2004

best ... help me .... thread .... evar....

jlr, you simply HAVE to stay here and hang out with us after we get this crap cleaned up. We need humor like yours here......

jlr820 · August 2004

Good vening all !
many thanks to those that have entered this fray with me in an effort to smite the evil infestation better know as Home search Assitant or more simply HSA.
Unfortunately Ad Aware, Hijack This, SpyBot and McAfee suggestions while cleaning up alot of evil things on my laptop have only temporarily banished HSA.
I recognize that my knowledge limitations in this area make it more difficult on those attempting to help me.

Nonetheless I humbly ask for your continued help.

Please note that I am decked out in full battle attire ( flak jacket, high school football helmet, ski gloves, 12 oz can of OFF in pocket, swiss army knife circa 1983, a KAHR 9MM semi auto, a Ruger 10/22 carbine, approx 500 rounds of both 9MM and long rifle 22, Red wing 6 1/2 inch work boots with steel toes, compass and a very old map of downtown New York ... ooops almost forgot .. also have 750 mls each of Herradura tequila and JD)
I've finalized my will and written out all the checks for the month.
I am .. simply .. ready to RUUUUUUMMMMMMMMMBBBBBBBBLE !

Just ran Ad Aware, SpyBot and Hijack This (log file below )

If it helps the same 3 'things' Ad Aware finds and I delete and then they spring back to life look like what follows.

HKEY_ CURRENT_USER:software/Microsoft/Internet Explorer/ Main "start page"(res://gzodk.ll/index.html#28189
HKEY_ Local_Machine:software/Microsoft/Internet Explorer/ Main "main default_page_url (res://gzodk.ll/index.html#28189

The attachment is an image of my Internet Explorer registry
you can see the evildoers lying there all smug and comfy under
default _ page _ url
default _ search
search page
start page

As before
vyo con dios !
and to paraphase lauden Wainwright .. " there's a dead skunk in the middle of the road .. but the bigger stench is the critter in my computer "

Logfile of HijackThis v1.98.0
Scan saved at 7:43:17 PM, on 8/1/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\sdkiu.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\winiv32.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5097E40F-55B3-8C70-AD1B-44E3B99D798B} - C:\WINNT\ntzg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UdkbSGSg] c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winiv32.exe] C:\WINNT\system32\winiv32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &IE Toolbar search - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.peryourhealth.com/viewer/activeXViewer/activexviewer.cab
O21 - SSODL: systemie - {387F8A48-8A7A-49B6-ABCB-DBD248424C8F} - sysie.dll (file missing)

Dexter · August 2004

Sorry it has taken us a while to get back to you...it's ben a busy place these days

OK, first of all, please download a program called CoolWebSearch from this link:

http://209.133.47.200/~merijn/files/CWShredder.exe

Put it in the same directory as HJT is in.

Next, reboot in SAFE MODE. Run HJT. FIX:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gzodk.dll/sp.html#28129
R3 - Default URLSearchHook is missing

F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe

(The above file is likely the source of your problems. It is the "reloader." This file is an indicator of a Hijack known as Cool Web Search, which is why I had you download CWSshredder. We'll run that later.)

O2 - BHO: (no name) - {5097E40F-55B3-8C70-AD1B-44E3B99D798B} - C:\WINNT\ntzg.dll

O4 - HKLM\..\Run: [winiv32.exe] C:\WINNT\system32\winiv32.exe

O8 - Extra context menu item: &IE Toolbar search - res://C:\WINNT\System32\toolbar.dll/SEARCH.HTML

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/initial.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://www.peryourhealth.com/viewer/activeXViewer/activexviewer.cab

O21 - SSODL: systemie - {387F8A48-8A7A-49B6-ABCB-DBD248424C8F} - sysie.dll (file missing)[/QUOTE]

Next, run CWSShredder.

Then, check to see if the following files still exist:

C:\WINNT\system32\gzodk.dll
C:\WINNT\ntzg.dll
C:\WINNT\system32\winiv32.exe
C:\WINNT\system32\winiv32.exe
C:\WINNT\System32\toolbar.dll

Move these to a new folder called :C:\Quarantine. Rename the .dll's to .ddd, and the .exe's to .xxx. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.

Next, check this program:

C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo.exe

This is a not a legitimate application, and should not be in your win.ini file like that. The legit version of this file is msinfo32.exe. Check to see that you have both of those. If you do, quarantine the one without the 32, as per the above instructions.

Then, reboot normally, and see how it works for you. You may need to run CWSshredder again in normal mode to clean out remnants of the infection.

Let us know how it works, and please post a fresh log for review. If all is good, you owe me a bottle of that tequila.

Dexter...

jlr820 · August 2004

Hey Dexter !!!
Thanks for the response
Couple of things
1. Just back from 3 days in the mountains
2. Tried to reply to your private message but was told I wasn't logged in after I hit submit .. not sure if you'll get it .. don't want you to think me impolite
3. I'm traveling for work for next 2 days so I won't get a chance to try your suggestions till Wednesday evening ( not a bad thing cuz I'll get fortified with a couple dozen hot wings from the Boro Bar in Hummelstown Pa !!
4. Will respond Wednesday evening !!
again .. many many many thhanks for everyones help !

5. VERY IMPORTANT
I've read some other threads and the repsonses and have tried to implement them
but I'm not able ( or maybe not skilled enough ) to 'see' these .exe and .dlls in the folders where I'm expecting them to be ( per the HJ This logs and Ad Aware logs )
EVEN tho I've clicked show me hidden folders, file extensions etc .. ... it's like the little buggers make themselves invisible
Jim Root

jlr820 · August 2004

Dexter, et al .
Did what you suggested ..
Thought twas victory !!! but ... nay the critter remains alive

1. moved C\WINNT\sys32/winiv32.exe to Quarrantine and renamed
moved c\WINNT\sys32\ntzg.dll to Q and renamed
didn't see any others
2. did not see the reloader file only the msinfo32.exe

here's the latest HJ log
will be happy to handcarry the tequila muy amigo !!!

again thanks !!!

PS - getting a sdkiu.exe has generated errors and will be shutdown ( at boot up )
Logfile of HijackThis v1.98.0
Scan saved at 7:10:16 PM, on 8/12/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\winpx32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\ntdc.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07C3EF4B-9632-283D-A5BA-EA0E88D3DC66} - C:\WINNT\mfccw32.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UdkbSGSg] c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdc.exe] C:\WINNT\ntdc.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

jlr820 · August 2004

ps ... at times like this ... tis best we should cover ourselves in butter ... cuz the lobsters are loose ... the lobsters are loose !!!!

Dexter · August 2004

OK, try this....

First, print this page so you have these instructions and your current HJT log on paper in front of you.

Reboot in SAFE MODE. Run HJT. FIX:

***NOTE: This Hijack appears to have the ability to rename its files, apparently when the computer rebooted. If you have rebooted your computer since you posted this log, check Hijack This to make sure that the file names are indentical to what you have posted. Otherwise, you need to post a new log, and NOT SHUT DOWN YOUR COMPUTER until you have gotten a reply from one of us as to what files you need to remove.*****

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\qlttp.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlttp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\qlttp.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {07C3EF4B-9632-283D-A5BA-EA0E88D3DC66} - C:\WINNT\mfccw32.dll

O4 - HKLM\..\Run: [UdkbSGSg] c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe

O4 - HKLM\..\Run: [ntdc.exe] C:\WINNT\ntdc.exe

Then, stay in safe mode, and quarantine the following files, using my soon-to-be patented quarantine procedure outlined above:

C:\WINNT\system32\qlttp.dll
C:\WINNT\mfccw32.dll
c:\documents and settings\administrator\local settings\temp\UdkbSGSg.exe
C:\WINNT\ntdc.exe

***If you do not find those exact entries in SAFE MODE, it means the processes have renamed themselves. Identify the new names by identifying the patterns:

- multiple R0 and R1 entries with the same dll name in them
- an 02 BHO entry with a random seeming dll name, usually 5 characters followed by a 32
- an 04 HKLM run entry with a random seeming exe name of either 4 or 5 chars, often with 32 in the name.

If the files have renamed themselves, compare your current log with the one you printed out earlier, to see which entries appear now that were not there before. If entries appear on your current scan that were not on the printed scan from earlier, FIX THEM.***

Then, DO NOT REBOOT THE COMPUTER USING THE START MENU BUTTONS TO LOG OFF OR REBOOT.

Manually shut the computer down, by either yanking the plug out of it, or shutting it off with the power switch. Then, plug it back in or turn it back on.

Now, reboot normally, and check things out. Come let us know how it worked. Run a new HJT scan, and post the log here for further review.

Dexter...

jlr820 · August 2004

Morning Dexter !!! ....and any other 'software doctors' up at this unseenly hour ...

Bad news for the home team .... still have the HSA critters
Good news ... I'm getting an education

Latest HJ log follows this commentary

1. Followed your process ie. safe mode, run HJ and fix, Quarrantine / rename,
run CWS Shredder .. yank the cord ( almost forgot to remove battery first hee hee ) and then reboot normally
NOTE: I could'nt find the 02 BHO .dll ( after 'fixing' with HJ) so I couldn't Q and rename it

2. after reboot I ran HJ and Shredder both logs were clean .. waited a minute .. re-ran HJ and the 02 BHO .dll appeared ... waited another minute .. re-ran HJ and the 04 HKLM .exe appeared

3. made numerous passes over 4 hr period .. similar results .. looks good but soon reverts

4. decided to investigate and gather info for you'all to digest ...

Info as follows
a) sometimes the 04 HKLM .exe is in the WINNT folder and sometimes its in WINNT/System 32
CURRENT LOG
O4 - HKLM\..\Run: [sdkul32.exe] C:\WINNT\sdkul32.exe
a PREVIOUS LOG
O4 - HKLM\..\Run: [appfq.exe] C:\WINNT\system32\appfq.exe

c) in WINNT FOLDER and I have HUNDREDS ( yes HUNDREDS !!! )
of weird dat files
all of which are
- 5 letters ( eg... udxld.dat, alpoi.dat )
- either 3kb or 12 kb in size
- open with unknown applications
- oldest one is 7-1-04

d) in WINNT FOLDER and I have HUNDREDS ( yes HUNDREDS !!! )
of weird .dll files
all of which are
- 5 letters ( eg... kbcjr.dll )
- 56 kb in size
- unknown application
- oldest one is 7-1-04

e) in WINNT FOLDER I have some weird .exe's , .txt's and assorted other stuff as follows
crxb32.exe 19kb created 8-13
sdkul32.exe 19 kb 8-12
iewm.exe 19kb created 7-27 , modified 8-13 ... suspicious eh
mfcaj32.exe 0 kb ( ???? ) cr 8-10 mod 8-10
ibcbj.txt 12 kb cr 8-12 ( looks like a bunch of code ???
winwq32.exe 12 kb cr 8-3
javafz.exe 12 kb cr on 8-2
DBHHMMPJ.ini cr 8-2 which when opened shows this
³¡±¦³«Î‰¼Ú£ÅË*Ú³×ÚÚ·ÊÂÖÀÃ®Ï°ËØ×ßÃÞ °ÂÙÓÇ¿*ÔÀ
WININIT.ini which looks like this
[Rename]
NUL=C:\PROGRA~1\INTERN~2\sim\bdl14122.exe
CDAC138A.exe 21 kb cr 7-30
AolCInUn.exe 52 kb cr 7-30
mrcfm.exe 28 kb cr 7-24
UP9ASP.INI cr 7-24 and looks like this
[KW]
Promo=101
Conn=TCP
msjs.exe 12 kb cr 7-21
atlff.exe cr 7-19
addql.exe cr 7-18
winpx32.exe cr 7-17
mjraa.txt 12 kb cr 7-17
mfchu.exe 12 kb cr 7-14
msll.exe 12 kb cr 7-13

f) HAVE the SAME kind of .dat's, .dll's and .exe's, ini's etc in WINNT / System 32 folder as well !!!!

as always .. THANKS !!!!
Jim Root
717-939-3563

caio !
Logfile of HijackThis v1.98.0
Scan saved at 5:19:35 AM, on 8/14/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\winpx32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\sdkul32.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\kkgcz.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINNT\system32\kkgcz.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINNT\system32\kkgcz.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kkgcz.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26D4D9D7-DEC5-C8C8-C978-61DF76612635} - C:\WINNT\msem.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sdkul32.exe] C:\WINNT\sdkul32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8AB2281-447F-482B-86E9-1F0ED5973637} - http://www.isurfplus.com/sure.cab

jlr820 · August 2004

Yo Dexter !
Couple of things
1. The nefarious Home Search Assitent has been eradicated !!!!
2. many many thanks for all your help particularly the Removal Guide !!
3. I've tried to email you direct but I must not have clearance to do so because as soon as I 'send' it I get pushed to another login screen and I see that NO emails have been sent ( have given up on this )

As far as to 'how' this thing was finally eradicated here are some things I did

1. Had McAfee anti-virus , uninstalled it and installed Norton 2004 which required me to update IE which I did to 6.01 SP1
All the following was done in safe mode
2. Ran Norton and it 'found' things HJ , Ad-Aware 6 etc did not find
3. Had to manually delete a registry key or two as ID'ed by Norton
4. Deleted TEMP and Internet TEMP stuff
5. Repeatedly ran a Molotov Cocktail of , Virus Scans HJ, Ad-Aware 6, Home Search Killer,
CWShredder, About Buster along with some manual deletions ( as opposed to 'fix' in these programs ) until everything was CLEAN
6. 'Pulled' the plug ... and rebooted into safe mode 3 times repeating step 5
7. Rebooted normally and immediately did step 5 BEFORE launching IE
8. 'Pulled theplug" and then rebooted normally
9. Repeated step 5 and again everything was clean, launched IE ( with bated breath) got the Home Search Killer page, reset my home page and all has been well for a couple days

My belief is based on my observations is that for my situation
the switch to Norton ( which id'ed things McAfee or any of the other programs wasn't finding ) and the upgrade on IE were the final keys to success as I had done everything else numerous times
using the Removal Guide,
hard shutdown etc,
had clean logs with all the programs,
launched IE and gotten the Home Search Killer home page
only to see the dastardly HSA return as soon as I did a search ( yahoo, Google , MSN whatever )
or when I launched IE a 2nd time

Have done some things with my IE security controls as well to try and prevent a re-occurence
Been clean 2 days now and all is well

... so ... thanks again ...
and by the way ... I'll probably be back with another log as both my daughters
laptops are infested with a bunch of crap ... altho not HSA .. it is with other stuff I see folks have problems getting resolved

caio !
Jim Root

Dexter · August 2004

Glad we could help, come back any time.

Now check out the links in my signature to find out about our Folding for a Cure project, it is a great cause that many of us here are involved with.

Dexter...

Home Search Assitant has captured me ! Please help !

Comments