Options
another home Search Assistant problem
Hi all, and thanks for being so kind to those of us who would otherwise be completely helpless. Ad Aware and Spybot didn't fix my problem, although I do think they got rid of a bunch of junk I didn't really want on my PC. Here's my hjt log:
Logfile of HijackThis v1.98.2
Scan saved at 9:29:35 PM, on 8/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\CRMT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SPYWARE TOOLS\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC985E67-9DA5-C729-5C40-FC68EAC522A7} - C:\WINDOWS\SYSTEM\NTKI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\1519392.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] c:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [CRMT.EXE] C:\WINDOWS\SYSTEM\CRMT.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins1.TMP\DLGLI1.EXE
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {03D54089-095E-11D3-B36B-006008B04974} (IVideoViewer Control) - http://www.behere.com/viewers/dmb/iVideoViewer1_04.cab
I see lots of things I think are problems, but when I fix them many return, so I am obviously missing something. I got rid of all the 015 "trusted zone" run lines because I didn't see any sites in them I recognized or perceived as useful. I even tried several in another browser to see what they were. Anyway, they are all gone now, so I hope I didn't need the one that ended in ".info".
I am also new to this, so I am slightly lost. I think I may need to follow vanagon40's method (I am also running 98 and my symptoms are very similar), but I'm just not sure yet. Also, as I was following the hjt user's guide thread, I was unable to run (or find) the services.msc program. I hope that doesn't limit hjt's ability to help me.
Any advice is greatly appreciated. I'll follow along as best I can. In the meantime I'll be rereading posts to try to get a better idea of what I'm up against and how these fixes work...
Logfile of HijackThis v1.98.2
Scan saved at 9:29:35 PM, on 8/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\CRMT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SPYWARE TOOLS\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC985E67-9DA5-C729-5C40-FC68EAC522A7} - C:\WINDOWS\SYSTEM\NTKI.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\1519392.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] c:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [CRMT.EXE] C:\WINDOWS\SYSTEM\CRMT.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\WINDOWS\TEMP\ins1.TMP\DLGLI1.EXE
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {03D54089-095E-11D3-B36B-006008B04974} (IVideoViewer Control) - http://www.behere.com/viewers/dmb/iVideoViewer1_04.cab
I see lots of things I think are problems, but when I fix them many return, so I am obviously missing something. I got rid of all the 015 "trusted zone" run lines because I didn't see any sites in them I recognized or perceived as useful. I even tried several in another browser to see what they were. Anyway, they are all gone now, so I hope I didn't need the one that ended in ".info".
I am also new to this, so I am slightly lost. I think I may need to follow vanagon40's method (I am also running 98 and my symptoms are very similar), but I'm just not sure yet. Also, as I was following the hjt user's guide thread, I was unable to run (or find) the services.msc program. I hope that doesn't limit hjt's ability to help me.
Any advice is greatly appreciated. I'll follow along as best I can. In the meantime I'll be rereading posts to try to get a better idea of what I'm up against and how these fixes work...
0
Comments
Dexter...
I apologize for not being clear. I was following the HSA Removal Guide. However, since I'm running Win 98, I can't use the hsremove program I downloaded. And for some reason, I can't run the Services.msc utility in Windows. The Start/Run window doesn't find it, and I can't locate it anywhere, either. That means I am hung up at Step 4, and I don't know what to do about it. Thanks for taking the time to reply.
Matt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\jtmcf.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC985E67-9DA5-C729-5C40-FC68EAC522A7} - C:\WINDOWS\SYSTEM\NTKI.DLL
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\1519392.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [CRMT.EXE] C:\WINDOWS\SYSTEM\CRMT.EXE
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
okay, you need to get rid of these entries, and then boot into DOS MODE and MANUALLY delete the files. You will not be able to see some of them, since they will be hidden. You need to use the following commands to find and delete the files:
DIR /A:H -- shows hidden files
DIR /A:S -- shows system files
ATTRIB -H -S filename - UNhides and UNsystems the bad file
DEL filename after the attrib command has been run.
So, delete the following files in DOS mode:
C:\WINDOWS\system\jtmcf.dll
C:\WINDOWS\SYSTEM\NTKI.DLL
C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
C:\WINDOWS\SYSTEM\1519392.EXE
C:\WINDOWS\SYSTEM\RNBOSENT\ (delete the whole directory using the DELTREE RNBOSENT command)
If you can't find one of those, say jtmcf.dll, then you'll need to do the attrib thing:
ATTRIB -H -S jtmcf.dll
and then
DEL jtmcf.dll