Home Search
Hi,
I am currently having problems getting rid of Home Search Assistant. I'm having problems w/ hijacked browser & a lot of pop-ups. I have tried both Ad-aware 6.0 & Spybot S&D, both have not been able to get rid of my problem. I ran Norton Anti-virus (w/ updates), and CWshredder. I was very excited to find the your "home search assistant removal guide". I followed it as best as I could. Unfortunately, after working on this for two straight nights, I still have made no progress. Can anyone PLEASE help?
Thanks in advance for anyone taking time to help me out.
Here is my latest Hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 10:34:11 PM, on 9/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\SYSTEM\JAVAYN32.EXE
C:\WINDOWS\SYSTEM\CRYD32.EXE
C:\WINDOWS\SYSTEM\APPQU.EXE
C:\WINDOWS\SYSTEM\MFCKB32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\JAVAVL32.EXE
C:\WINDOWS\SYSTEM\NETEU32.EXE
C:\WINDOWS\SYSTEM\JAVAJM.EXE
C:\WINDOWS\SYSTEM\SDKKR32.EXE
C:\WINDOWS\SYSTEM\IPLR.EXE
C:\WINDOWS\SYSTEM\NETZV.EXE
C:\WINDOWS\SYSTEM\APIGW.EXE
C:\WINDOWS\SYSTEM\WINFD32.EXE
C:\WINDOWS\SYSTEM\ADDYX.EXE
C:\WINDOWS\SYSTEM\ADDRM32.EXE
C:\WINDOWS\SYSTEM\MSZS.EXE
C:\WINDOWS\APIQX32.EXE
C:\WINDOWS\SYSTEM\ATLFS.EXE
C:\WINDOWS\SYSTEM\APIWC.EXE
C:\WINDOWS\SYSTEM\JAVAJW32.EXE
C:\WINDOWS\SYSTEM\ADDSI32.EXE
C:\WINDOWS\SYSTEM\JAVADV32.EXE
C:\WINDOWS\APIRK32.EXE
C:\WINDOWS\APPWQ.EXE
C:\WINDOWS\SYSTEM\APIQU32.EXE
C:\WINDOWS\WINKG.EXE
C:\WINDOWS\SYSTEM\NTGB.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\JWJWXQND.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\ATLLX32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\SYSMJ.EXE
C:\HJT\HIJACKTHIS.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\CRJT32.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {57735AF3-729E-E963-686F-450AEB89CFBB} - C:\WINDOWS\SYSTEM\SDKMN.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [MFCKB32.EXE] C:\WINDOWS\SYSTEM\MFCKB32.EXE
O4 - HKLM\..\RunServices: [APPQU.EXE] C:\WINDOWS\SYSTEM\APPQU.EXE
O4 - HKLM\..\RunServices: [JAVAYN32.EXE] C:\WINDOWS\SYSTEM\JAVAYN32.EXE
O4 - HKLM\..\RunServices: [CRYD32.EXE] C:\WINDOWS\SYSTEM\CRYD32.EXE
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [JAVAVL32.EXE] C:\WINDOWS\SYSTEM\JAVAVL32.EXE
O4 - HKLM\..\RunServices: [JAVAJM.EXE] C:\WINDOWS\SYSTEM\JAVAJM.EXE
O4 - HKLM\..\RunServices: [NETEU32.EXE] C:\WINDOWS\SYSTEM\NETEU32.EXE
O4 - HKLM\..\RunServices: [SDKKR32.EXE] C:\WINDOWS\SYSTEM\SDKKR32.EXE
O4 - HKLM\..\RunServices: [IPLR.EXE] C:\WINDOWS\SYSTEM\IPLR.EXE
O4 - HKLM\..\RunServices: [ADDRM32.EXE] C:\WINDOWS\SYSTEM\ADDRM32.EXE
O4 - HKLM\..\RunServices: [WINFD32.EXE] C:\WINDOWS\SYSTEM\WINFD32.EXE
O4 - HKLM\..\RunServices: [NETZV.EXE] C:\WINDOWS\SYSTEM\NETZV.EXE
O4 - HKLM\..\RunServices: [ADDYX.EXE] C:\WINDOWS\SYSTEM\ADDYX.EXE
O4 - HKLM\..\RunServices: [MSZS.EXE] C:\WINDOWS\SYSTEM\MSZS.EXE
O4 - HKLM\..\RunServices: [APIGW.EXE] C:\WINDOWS\SYSTEM\APIGW.EXE
O4 - HKLM\..\RunServices: [JAVAJW32.EXE] C:\WINDOWS\SYSTEM\JAVAJW32.EXE
O4 - HKLM\..\RunServices: [APIQX32.EXE] C:\WINDOWS\APIQX32.EXE
O4 - HKLM\..\RunServices: [APIWC.EXE] C:\WINDOWS\SYSTEM\APIWC.EXE
O4 - HKLM\..\RunServices: [ADDSI32.EXE] C:\WINDOWS\SYSTEM\ADDSI32.EXE
O4 - HKLM\..\RunServices: [JAVADV32.EXE] C:\WINDOWS\SYSTEM\JAVADV32.EXE
O4 - HKLM\..\RunServices: [ATLFS.EXE] C:\WINDOWS\SYSTEM\ATLFS.EXE
O4 - HKLM\..\RunServices: [APIRK32.EXE] C:\WINDOWS\APIRK32.EXE
O4 - HKLM\..\RunServices: [APPWQ.EXE] C:\WINDOWS\APPWQ.EXE
O4 - HKLM\..\RunServices: [WINKG.EXE] C:\WINDOWS\WINKG.EXE
O4 - HKLM\..\RunServices: [APIQU32.EXE] C:\WINDOWS\SYSTEM\APIQU32.EXE
O4 - HKLM\..\RunServices: [NTGB.EXE] C:\WINDOWS\SYSTEM\NTGB.EXE
O4 - HKLM\..\RunServices: [ATLWH.EXE] C:\WINDOWS\ATLWH.EXE
O4 - HKLM\..\RunServices: [JAVAAK32.EXE] C:\WINDOWS\SYSTEM\JAVAAK32.EXE
O4 - HKLM\..\RunServices: [ATLLX32.EXE] C:\WINDOWS\SYSTEM\ATLLX32.EXE
O4 - HKLM\..\RunServices: [SYSMJ.EXE] C:\WINDOWS\SYSTEM\SYSMJ.EXE
O4 - HKLM\..\RunServices: [CRJT32.EXE] C:\WINDOWS\SYSTEM\CRJT32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Xwwtye] C:\WINDOWS\SYSTEM\jwjwxqnd.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b544a6dea495ee2002/netzip/RdxIE601.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
I am currently having problems getting rid of Home Search Assistant. I'm having problems w/ hijacked browser & a lot of pop-ups. I have tried both Ad-aware 6.0 & Spybot S&D, both have not been able to get rid of my problem. I ran Norton Anti-virus (w/ updates), and CWshredder. I was very excited to find the your "home search assistant removal guide". I followed it as best as I could. Unfortunately, after working on this for two straight nights, I still have made no progress. Can anyone PLEASE help?
Thanks in advance for anyone taking time to help me out.
Here is my latest Hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 10:34:11 PM, on 9/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\SYSTEM\JAVAYN32.EXE
C:\WINDOWS\SYSTEM\CRYD32.EXE
C:\WINDOWS\SYSTEM\APPQU.EXE
C:\WINDOWS\SYSTEM\MFCKB32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\JAVAVL32.EXE
C:\WINDOWS\SYSTEM\NETEU32.EXE
C:\WINDOWS\SYSTEM\JAVAJM.EXE
C:\WINDOWS\SYSTEM\SDKKR32.EXE
C:\WINDOWS\SYSTEM\IPLR.EXE
C:\WINDOWS\SYSTEM\NETZV.EXE
C:\WINDOWS\SYSTEM\APIGW.EXE
C:\WINDOWS\SYSTEM\WINFD32.EXE
C:\WINDOWS\SYSTEM\ADDYX.EXE
C:\WINDOWS\SYSTEM\ADDRM32.EXE
C:\WINDOWS\SYSTEM\MSZS.EXE
C:\WINDOWS\APIQX32.EXE
C:\WINDOWS\SYSTEM\ATLFS.EXE
C:\WINDOWS\SYSTEM\APIWC.EXE
C:\WINDOWS\SYSTEM\JAVAJW32.EXE
C:\WINDOWS\SYSTEM\ADDSI32.EXE
C:\WINDOWS\SYSTEM\JAVADV32.EXE
C:\WINDOWS\APIRK32.EXE
C:\WINDOWS\APPWQ.EXE
C:\WINDOWS\SYSTEM\APIQU32.EXE
C:\WINDOWS\WINKG.EXE
C:\WINDOWS\SYSTEM\NTGB.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\JWJWXQND.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\ATLLX32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\JAVAAK32.EXE
C:\WINDOWS\SYSTEM\SYSMJ.EXE
C:\HJT\HIJACKTHIS.EXE
C:\WINDOWS\ATLWH.EXE
C:\WINDOWS\SYSTEM\CRJT32.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {57735AF3-729E-E963-686F-450AEB89CFBB} - C:\WINDOWS\SYSTEM\SDKMN.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [MFCKB32.EXE] C:\WINDOWS\SYSTEM\MFCKB32.EXE
O4 - HKLM\..\RunServices: [APPQU.EXE] C:\WINDOWS\SYSTEM\APPQU.EXE
O4 - HKLM\..\RunServices: [JAVAYN32.EXE] C:\WINDOWS\SYSTEM\JAVAYN32.EXE
O4 - HKLM\..\RunServices: [CRYD32.EXE] C:\WINDOWS\SYSTEM\CRYD32.EXE
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [JAVAVL32.EXE] C:\WINDOWS\SYSTEM\JAVAVL32.EXE
O4 - HKLM\..\RunServices: [JAVAJM.EXE] C:\WINDOWS\SYSTEM\JAVAJM.EXE
O4 - HKLM\..\RunServices: [NETEU32.EXE] C:\WINDOWS\SYSTEM\NETEU32.EXE
O4 - HKLM\..\RunServices: [SDKKR32.EXE] C:\WINDOWS\SYSTEM\SDKKR32.EXE
O4 - HKLM\..\RunServices: [IPLR.EXE] C:\WINDOWS\SYSTEM\IPLR.EXE
O4 - HKLM\..\RunServices: [ADDRM32.EXE] C:\WINDOWS\SYSTEM\ADDRM32.EXE
O4 - HKLM\..\RunServices: [WINFD32.EXE] C:\WINDOWS\SYSTEM\WINFD32.EXE
O4 - HKLM\..\RunServices: [NETZV.EXE] C:\WINDOWS\SYSTEM\NETZV.EXE
O4 - HKLM\..\RunServices: [ADDYX.EXE] C:\WINDOWS\SYSTEM\ADDYX.EXE
O4 - HKLM\..\RunServices: [MSZS.EXE] C:\WINDOWS\SYSTEM\MSZS.EXE
O4 - HKLM\..\RunServices: [APIGW.EXE] C:\WINDOWS\SYSTEM\APIGW.EXE
O4 - HKLM\..\RunServices: [JAVAJW32.EXE] C:\WINDOWS\SYSTEM\JAVAJW32.EXE
O4 - HKLM\..\RunServices: [APIQX32.EXE] C:\WINDOWS\APIQX32.EXE
O4 - HKLM\..\RunServices: [APIWC.EXE] C:\WINDOWS\SYSTEM\APIWC.EXE
O4 - HKLM\..\RunServices: [ADDSI32.EXE] C:\WINDOWS\SYSTEM\ADDSI32.EXE
O4 - HKLM\..\RunServices: [JAVADV32.EXE] C:\WINDOWS\SYSTEM\JAVADV32.EXE
O4 - HKLM\..\RunServices: [ATLFS.EXE] C:\WINDOWS\SYSTEM\ATLFS.EXE
O4 - HKLM\..\RunServices: [APIRK32.EXE] C:\WINDOWS\APIRK32.EXE
O4 - HKLM\..\RunServices: [APPWQ.EXE] C:\WINDOWS\APPWQ.EXE
O4 - HKLM\..\RunServices: [WINKG.EXE] C:\WINDOWS\WINKG.EXE
O4 - HKLM\..\RunServices: [APIQU32.EXE] C:\WINDOWS\SYSTEM\APIQU32.EXE
O4 - HKLM\..\RunServices: [NTGB.EXE] C:\WINDOWS\SYSTEM\NTGB.EXE
O4 - HKLM\..\RunServices: [ATLWH.EXE] C:\WINDOWS\ATLWH.EXE
O4 - HKLM\..\RunServices: [JAVAAK32.EXE] C:\WINDOWS\SYSTEM\JAVAAK32.EXE
O4 - HKLM\..\RunServices: [ATLLX32.EXE] C:\WINDOWS\SYSTEM\ATLLX32.EXE
O4 - HKLM\..\RunServices: [SYSMJ.EXE] C:\WINDOWS\SYSTEM\SYSMJ.EXE
O4 - HKLM\..\RunServices: [CRJT32.EXE] C:\WINDOWS\SYSTEM\CRJT32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Xwwtye] C:\WINDOWS\SYSTEM\jwjwxqnd.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b544a6dea495ee2002/netzip/RdxIE601.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
0
This discussion has been closed.
Comments
The guide was written for XP / Win 2000. The difference with Win 95/98 is that it does not have the service control panel as outlined. I plan to add some info for Win 95/98 users soon. We have helped a few Win 98 users get rid of this thing.
However, your infection may be partly due to the older CWS hijack. Download CWShredder and run it first. http://www.short-media.com/files/downloads/Tweaking%20and%20Tuning/General%20Utilities/CWShredder.exe
See what it does, and hoepfully it may clean a few items from your log. Then post a fresh log and we can work on the rest of the removal.
Dexter...
Thank you very much for replying. I have ran CWshredder and about_buster which did remove some files. I’ve been removing the files in R0 & R1 (in this high jack log - C:\WINDOWS\psmpp.dll) and a file in O2 – BHO (in this high jack log - C:\WINDOWS\SYSTEM\SDKMN.DLL), but after reboot, new files with different names return to their place. Originally, I did not remove anything from the "O4 RunService" because the guide mentioned "O4 RunOnce". However, I believe this is the difference between Win 98 and XP.
I will try to remove the obvious O4 RunService files in HJT and delete in DOS and wil then repost.
Thanks,
Jeff
Here are the entries to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\psmpp.dll/sp.html#29126
O2 - BHO: Class - {57735AF3-729E-E963-686F-450AEB89CFBB} - C:\WINDOWS\SYSTEM\SDKMN.DLL
O4 - HKLM\..\RunServices: [MFCKB32.EXE] C:\WINDOWS\SYSTEM\MFCKB32.EXE
O4 - HKLM\..\RunServices: [APPQU.EXE] C:\WINDOWS\SYSTEM\APPQU.EXE
O4 - HKLM\..\RunServices: [JAVAYN32.EXE] C:\WINDOWS\SYSTEM\JAVAYN32.EXE
O4 - HKLM\..\RunServices: [CRYD32.EXE] C:\WINDOWS\SYSTEM\CRYD32.EXE
O4 - HKLM\..\RunServices: [JAVAVL32.EXE] C:\WINDOWS\SYSTEM\JAVAVL32.EXE
O4 - HKLM\..\RunServices: [JAVAJM.EXE] C:\WINDOWS\SYSTEM\JAVAJM.EXE
O4 - HKLM\..\RunServices: [NETEU32.EXE] C:\WINDOWS\SYSTEM\NETEU32.EXE
O4 - HKLM\..\RunServices: [SDKKR32.EXE] C:\WINDOWS\SYSTEM\SDKKR32.EXE
O4 - HKLM\..\RunServices: [IPLR.EXE] C:\WINDOWS\SYSTEM\IPLR.EXE
O4 - HKLM\..\RunServices: [ADDRM32.EXE] C:\WINDOWS\SYSTEM\ADDRM32.EXE
O4 - HKLM\..\RunServices: [WINFD32.EXE] C:\WINDOWS\SYSTEM\WINFD32.EXE
O4 - HKLM\..\RunServices: [NETZV.EXE] C:\WINDOWS\SYSTEM\NETZV.EXE
O4 - HKLM\..\RunServices: [ADDYX.EXE] C:\WINDOWS\SYSTEM\ADDYX.EXE
O4 - HKLM\..\RunServices: [MSZS.EXE] C:\WINDOWS\SYSTEM\MSZS.EXE
O4 - HKLM\..\RunServices: [APIGW.EXE] C:\WINDOWS\SYSTEM\APIGW.EXE
O4 - HKLM\..\RunServices: [JAVAJW32.EXE] C:\WINDOWS\SYSTEM\JAVAJW32.EXE
O4 - HKLM\..\RunServices: [APIQX32.EXE] C:\WINDOWS\APIQX32.EXE
O4 - HKLM\..\RunServices: [APIWC.EXE] C:\WINDOWS\SYSTEM\APIWC.EXE
O4 - HKLM\..\RunServices: [ADDSI32.EXE] C:\WINDOWS\SYSTEM\ADDSI32.EXE
O4 - HKLM\..\RunServices: [JAVADV32.EXE] C:\WINDOWS\SYSTEM\JAVADV32.EXE
O4 - HKLM\..\RunServices: [ATLFS.EXE] C:\WINDOWS\SYSTEM\ATLFS.EXE
O4 - HKLM\..\RunServices: [APIRK32.EXE] C:\WINDOWS\APIRK32.EXE
O4 - HKLM\..\RunServices: [APPWQ.EXE] C:\WINDOWS\APPWQ.EXE
O4 - HKLM\..\RunServices: [WINKG.EXE] C:\WINDOWS\WINKG.EXE
O4 - HKLM\..\RunServices: [APIQU32.EXE] C:\WINDOWS\SYSTEM\APIQU32.EXE
O4 - HKLM\..\RunServices: [NTGB.EXE] C:\WINDOWS\SYSTEM\NTGB.EXE
O4 - HKLM\..\RunServices: [ATLWH.EXE] C:\WINDOWS\ATLWH.EXE
O4 - HKLM\..\RunServices: [JAVAAK32.EXE] C:\WINDOWS\SYSTEM\JAVAAK32.EXE
O4 - HKLM\..\RunServices: [ATLLX32.EXE] C:\WINDOWS\SYSTEM\ATLLX32.EXE
O4 - HKLM\..\RunServices: [SYSMJ.EXE] C:\WINDOWS\SYSTEM\SYSMJ.EXE
O4 - HKLM\..\RunServices: [CRJT32.EXE] C:\WINDOWS\SYSTEM\CRJT32.EXE
O4 - HKCU\..\Run: [Xwwtye] C:\WINDOWS\SYSTEM\jwjwxqnd.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
Also, remove all the 016 DPF entries as well to clean them up. Anything you really need will be re-downloaded on-demand from a particular site if you need it.
Now, for the hard part...
Using Killbox as I instructed you to download above, you need to delete each and every .dll and .exe file in the list above.
Run the program. In the bottom right hand corner you will see a drop-down box labelled (System Process.) Drop that down, and select the active process that is likely to be your main infection reloader. That will be any of the exe processes you see in my list above. Once you have selected any file name, click the yellow triangle with the ! inside it to end that process.
Next, at the top of the window, use the folder icon to browse to each of those exe files, and press the red X button to delete that file. If it will not delete, repeat, but select Delete on Reboot. When it asks if you want reboot now, choose "No." Just keep tagging them all for reboot, then do a reboot later.
Then browse to each of the dll files, and select them one at a time. Turn on the option "unregister dll before deleting." Then delete each dll.
Now reboot, let those files that were tagged for delete on reboot get deleted, then go back to HJT, and check things out.
Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is delete them.
Try that, and let me know. This worked succesfully for another Win 98 user, and I believe it will work for you too. Come post a fresh log for review.
Dexter...
Again thank you for your reply. Before I received your reply, I proceeded as I had mentioned earlier. I ran HJT, went through and checked every DLL and EXE in Google to determine if it was valid or not, ran HJT again removing all the suspect files, did a hard reboot, went to SAFE mode DOS prompt, and manually deleted everyone. It took several hours but worked. I'm "Home Search" and pop-up free.
Logfile of HijackThis v1.98.2
Scan saved at 9:32:46 PM, on 9/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankatfirstnational.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
I think your method would have been a lot easier. Thank you so much your your help. This is a great service.
One more question, how do I prevent this from happening again?
Jeff
Please read our article on Defeating Spyware for tips on how to improve your Internet Explorer security, or to learn how to switch to a different browser. For more general information about spyware read this page.
If you are going to stay on IE, then for further protection, use the "immunize" feature of Spybot, and also download SywareBlaster from our Security Downloads page for added protection. ALsom use a custom HOSTS file: instructions and a download available here: http://www.mvps.org/winhelp2002/hosts.htm
This will not guarantee 100% protection, but will certainly make things a lot better.
Finally, if you have not already done so, please take the time to find out more about Folding For a Cure, a good cause by which your computer uses it's spare power to help search for cures to diseases. We would love to have you on our Team.
Dexter...