Home Search Assistant - Swing
I have had the HOME SEARCH ASSISTANT slowing my computer down for several weeks. I was going to reformat my hard drive today until I came to your site.
As suggested in your FAQ, I have updated and ran ADAWARE & SPYBOT SEARCH & DESTROY. In addition, I have installed and ran CWS Shredder, hsremove, and aboutbuster (all in safe mode). Initially, it seemed like it had been removed - but it always comes back.
Below is my log from HijackThis. I was considering deleting some items that I suspected were trouble, but figured it would be best to wait for your advice.
Thank you very much for your time. I appreciate your assistance.
Logfile of HijackThis v1.97.7
Scan saved at 9:22:32 AM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\atlhs32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\addze.exe
C:\WINDOWS\addze.exe
C:\Documents and Settings\swing\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7B4CEC13-66EE-DF47-E83B-C7349372B588} - C:\WINDOWS\nethe32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlhs32.exe] C:\WINDOWS\system32\atlhs32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [addze.exe] C:\WINDOWS\addze.exe
O4 - HKLM\..\RunOnce: [apiif.exe] C:\WINDOWS\system32\apiif.exe
O4 - HKLM\..\RunOnce: [bhtsf] C:\WINDOWS\ocgen.log:bhtsf
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FBD11EF-1260-11D1-87A7-444553540001} (Synapse Medical Imaging Workstation) - http://synapse/osd/synapseWorkstation.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://pwss2d035/exv/pws2/cab/sg20.ocx
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://pwss2d035/exv/installs/iChartDocMngr.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/072deb3220a2bd758f19/netzip/RdxIE601.cab
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://pwss2d035/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://pwss2d035/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://pwss2d035/exv/installs/iChartLogger.ocx
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://pwss2d035/exv/installs/iChartConfig.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://pwss2d035/exv/installs/iChartPlayer.ocx
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://pwss2d035/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://pwss2d035/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} (SynapseInstallHelper Class) - http://synapse/osd/x86/win95/FujiInst.cab
As suggested in your FAQ, I have updated and ran ADAWARE & SPYBOT SEARCH & DESTROY. In addition, I have installed and ran CWS Shredder, hsremove, and aboutbuster (all in safe mode). Initially, it seemed like it had been removed - but it always comes back.
Below is my log from HijackThis. I was considering deleting some items that I suspected were trouble, but figured it would be best to wait for your advice.
Thank you very much for your time. I appreciate your assistance.
Logfile of HijackThis v1.97.7
Scan saved at 9:22:32 AM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\atlhs32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\addze.exe
C:\WINDOWS\addze.exe
C:\Documents and Settings\swing\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7B4CEC13-66EE-DF47-E83B-C7349372B588} - C:\WINDOWS\nethe32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlhs32.exe] C:\WINDOWS\system32\atlhs32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [addze.exe] C:\WINDOWS\addze.exe
O4 - HKLM\..\RunOnce: [apiif.exe] C:\WINDOWS\system32\apiif.exe
O4 - HKLM\..\RunOnce: [bhtsf] C:\WINDOWS\ocgen.log:bhtsf
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FBD11EF-1260-11D1-87A7-444553540001} (Synapse Medical Imaging Workstation) - http://synapse/osd/synapseWorkstation.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://pwss2d035/exv/pws2/cab/sg20.ocx
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://pwss2d035/exv/installs/iChartDocMngr.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/072deb3220a2bd758f19/netzip/RdxIE601.cab
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://pwss2d035/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://pwss2d035/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://pwss2d035/exv/installs/iChartLogger.ocx
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://pwss2d035/exv/installs/iChartConfig.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://pwss2d035/exv/installs/iChartPlayer.ocx
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://pwss2d035/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://pwss2d035/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} (SynapseInstallHelper Class) - http://synapse/osd/x86/win95/FujiInst.cab
0
This discussion has been closed.
Comments
Thanks.
First move Hijack this to an easier location to work with. I recommend making a folder right on your C drive, called C:\HJT.
Click Start, and then Run. Type "Services.msc" in the run box and hit enter.
Look for a service called "Network Security Service"... If it's there, click on it, click properties, and set the thing to "disabled" and then STOP the service.
If you do not have that service, I want you to manually do a hard-power down or restart on your computer. Do not select shutdown from your menu, just reach over and shut it off, then back on, or hit the restart button on your case. When it starts to boot, tap the F8 key to get the boot options menu, and select SAFE MODE.
If you did have the "Network Security Service, and you stopped it, then you can either do the hard reboot or a normal reboot through the Start menu. Reboot the computer into SAFE MODE.
(Make sure to let me know which situation applied to you.)
Either way, once you are in SAFE MODE, run HijackThis, and FIX these entries:
***NOTE: This Hijack appears to have the ability to rename its files, apparently when the computer is shutdown or the task has been ended. If you have rebooted your computer since you posted this log, check Hijack This to make sure that the file names are indentical to what you have posted. Otherwise, you need to post a new log, and NOT SHUT DOWN YOUR COMPUTER until you have gotten a reply from one of us as to what files you need to remove.*****
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jptds.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jptds.dll/sp.html#28129
O2 - BHO: (no name) - {7B4CEC13-66EE-DF47-E83B-C7349372B588} - C:\WINDOWS\nethe32.dll
O4 - HKLM\..\Run: [atlhs32.exe] C:\WINDOWS\system32\atlhs32.exe
O4 - HKLM\..\RunOnce: [mfcqd32.exe] C:\WINDOWS\system32\mfcqd32.exe
O4 - HKLM\..\RunOnce: [addze.exe] C:\WINDOWS\addze.exe
O4 - HKLM\..\RunOnce: [apiif.exe] C:\WINDOWS\system32\apiif.exe
O4 - HKLM\..\RunOnce: [bhtsf] C:\WINDOWS\ocgen.log:bhtsf
Next, stay in SAFE MODE, and locate all of the .exe files and .dll files mentioned above. Make sure you are set to show hidden files and folders on your system, instructions to do that are in the link above "Steps to take before posting a Hijack This log."
These are the files you need to look for:
C:\WINDOWS\system32\jptds.dll
C:\WINDOWS\nethe32.dll
C:\WINDOWS\system32\atlhs32.exe
C:\WINDOWS\system32\mfcqd32.exe
C:\WINDOWS\addze.exe
C:\WINDOWS\system32\apiif.exe
C:\WINDOWS\ocgen.log:bhtsf
Move these files to a new folder called :C:\Quarantine. Rename the the .exe's to .xxx. and the dll's to .ddd. That way you can always replace them if it somehow turns out that one or more of these are necessary files....which is not likely, but quarantining is safer than deleting them.
Now, reboot normally, and check things out. Come let us know how it worked. Run a new HJT scan, and post the log here for further review, and let me know whether you had the Network Security service, or if you just did a hard reboot.
Dexter...
I have shut down he computer since my first post. I'll refrain from rebooting till I hear further instructions. Thus, my HijackThis log has changed to the following:
Logfile of HijackThis v1.97.7
Scan saved at 6:50:22 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\atlhs32.exe
C:\WINDOWS\Greenstone.bmp:xjipu
C:\Documents and Settings\SWING\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zfwne.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zfwne.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zfwne.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfwne.dll/sp.html#28129
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CD05B77-C677-4D01-5562-25BA68012376} - C:\WINDOWS\apiad.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlhs32.exe] C:\WINDOWS\system32\atlhs32.exe
O4 - HKLM\..\RunOnce: [xjipu] C:\WINDOWS\Greenstone.bmp:xjipu
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FBD11EF-1260-11D1-87A7-444553540001} (Synapse Medical Imaging Workstation) - http://synapse/osd/synapseWorkstation.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://pwss2d035/exv/pws2/cab/sg20.ocx
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://pwss2d035/exv/installs/iChartDocMngr.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/072deb3220a2bd758f19/netzip/RdxIE601.cab
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://pwss2d035/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://pwss2d035/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://pwss2d035/exv/installs/iChartLogger.ocx
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://pwss2d035/exv/installs/iChartConfig.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://pwss2d035/exv/installs/iChartPlayer.ocx
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://pwss2d035/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://pwss2d035/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} (SynapseInstallHelper Class) - http://synapse/osd/x86/win95/FujiInst.cab
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zfwne.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zfwne.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zfwne.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zfwne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zfwne.dll/sp.html#28129
O2 - BHO: (no name) - {4CD05B77-C677-4D01-5562-25BA68012376} - C:\WINDOWS\apiad.dll
O4 - HKLM\..\Run: [atlhs32.exe] C:\WINDOWS\system32\atlhs32.exe
O4 - HKLM\..\RunOnce: [xjipu] C:\WINDOWS\Greenstone.bmp:xjipu
Files:
C:\WINDOWS\zfwne.dll
C:\WINDOWS\apiad.dll
C:\WINDOWS\system32\atlhs32.exe
C:\WINDOWS\Greenstone.bmp:xjipu
Follow the above instructions, using these HJT entries and file names.
Let me know how that works
Dexter...
A couple comments:
1. I did have to disable the Network Security Service
2. When rebooting into safe mode, it changes the "*.dll" name
Thanks again for your help and good luck to the rest of you with. . .
Here is my latest Hijack log
Logfile of HijackThis v1.97.7
Scan saved at 6:57:33 PM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\swing\Desktop\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1FBD11EF-1260-11D1-87A7-444553540001} (Synapse Medical Imaging Workstation) - http://synapse/osd/synapseWorkstation.cab
O16 - DPF: {3591A50D-18FD-42BC-8D10-6C93BDAF2DA0} (Data Dynamics #Grid 2.0 (ICursor)) - http://pwss2d035/exv/pws2/cab/sg20.ocx
O16 - DPF: {4B4F8F8F-9CE3-4C54-BDB7-66F44E2F62A1} (IChartDocMngr Control) - http://pwss2d035/exv/installs/iChartDocMngr.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/072deb3220a2bd758f19/netzip/RdxIE601.cab
O16 - DPF: {7814BDAA-A125-44BB-A3F4-BE87D8767AFF} (Bridge Class) - http://pwss2d035/exv/pws2/wordcnt/wordcnt.cab
O16 - DPF: {78C21026-00DD-42FF-8FE3-94BDB929B9B8} (PSMike Control) - http://pwss2d035/exv/installs/PSMike.cab
O16 - DPF: {792A484F-C378-4B63-AD28-EF4FD490F00E} (IChartLogger Control) - http://pwss2d035/exv/installs/iChartLogger.ocx
O16 - DPF: {93BE011C-F234-4070-886D-A5F9D4D712AE} (IChartConfig Control) - http://pwss2d035/exv/installs/iChartConfig.ocx
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {95A451DA-30B8-4459-87C2-595423821CAE} (IChartPlayer Control) - http://pwss2d035/exv/installs/iChartPlayer.ocx
O16 - DPF: {CB320D1A-2077-4C5C-94E1-5BDA366593EE} (IChartRtfViewer Control) - http://pwss2d035/exv/installs/iChartRtfViewer.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F60EA672-8783-4643-80A7-FC250647DBD2} (IChartLifeSupport Control) - http://pwss2d035/exv/installs/iChartLifeSupport.ocx
O16 - DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} (SynapseInstallHelper Class) - http://synapse/osd/x86/win95/FujiInst.cab
Feel free to stick around the site, we have some good people here and some fun threads in the PUB. And definitely check out our Folding for a Cure Team.
Dexter...