Removing Home Search

Unknown

Please HELP!

Here's my HJT log. Hoping someone can help me pick out the bogus entries from it to rid my PC of Home Search. I thought I'd tried everything but apparently not.

Logfile of HijackThis v1.98.2
Scan saved at 12:15:11 PM, on 9/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\syszt32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL$~2\binn\sqlservr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\mfcra32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Martin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\sysri.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [apilb.exe] C:\WINDOWS\system32\apilb.exe
O4 - HKLM\..\Run: [syszt32.exe] C:\WINDOWS\system32\syszt32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.pcu.org
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

Dexter

We need you to also post a list of your active services. Refer to Post #2 of the Removal Guide for instructions on how to do that. Post that log here as well. Please do not reboot your computer until you get an answer from one of us, as rebooting will cause the file names to change.

Dexter...

haggartymf

Here is the content of Active.txt...

These are the Current Active Services:

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Background Intelligent Transfer Service: BITS
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Messenger: Messenger
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: w32time
C:\WINDOWS\system32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

Indexing Service: CiSvc
C:\WINDOWS\system32\cisvc.exe

COM+ System Application: COMSysApp
C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Diskeeper: Diskeeper
C:\Program Files\Executive Software\Diskeeper\DkService.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

IIS Admin: IISADMIN
C:\WINDOWS\System32\inetsrv\inetinfo.exe

FTP Publishing: MSFtpsvc
C:\WINDOWS\System32\inetsrv\inetinfo.exe

Simple Mail Transfer Protocol (SMTP): SMTPSVC
C:\WINDOWS\System32\inetsrv\inetinfo.exe

World Wide Web Publishing: W3SVC
C:\WINDOWS\System32\inetsrv\inetinfo.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

McAfee Framework Service: McAfeeFramework
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart

Network Associates McShield: McShield
"C:\Program Files\Network Associates\VirusScan\Mcshield.exe"

Network Associates Task Manager: McTaskManager
"C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"

Microsoft Search: MSSEARCH
"C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe"

MSSQL$UCIDATABASE: MSSQL$UCIDATABASE
C:\PROGRA~1\MI6841~1\MSSQL$~2\binn\sqlservr.exe -sUCIDATABASE

MSSQLServer: MSSQLServer
C:\MSSQL7\binn\sqlservr.exe

NT LM Security Support Provider: NtLmSsp
C:\WINDOWS\System32\lsass.exe

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

NVIDIA Driver Helper Service: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

Network Security Service: O?’ŽrtñåȲ$Ó
C:\WINDOWS\system32\mfcra32.exe /s

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Simple TCP/IP Services: SimpTcp
C:\WINDOWS\System32\tcpsvcs.exe

SNMP Service: SNMP
C:\WINDOWS\System32\snmp.exe

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

SharePoint Timer Service: SPTimer
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE

SQLServerAgent: SQLServerAgent
C:\MSSQL7\binn\sqlagent.exe

Dexter

From your active services log:

Network Security Service: O?’ŽrtñåȲ$Ó
C:\WINDOWS\system32\mfcra32.exe /s


You need to follow Step 4 of the guide, find that service, right-click on it, STOP it, right-click again and DISABLE.


Then hard-power boot to Safe Mode, run HJT, and FIX:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ugbgd.dll/sp.html#96676

O2 - BHO: (no name) - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\sysri.dll

O4 - HKLM\..\Run: [apilb.exe] C:\WINDOWS\system32\apilb.exe
O4 - HKLM\..\Run: [syszt32.exe] C:\WINDOWS\system32\syszt32.exe

And follow all the rest of the guide instructions.

Also, have HJT fix all of your 016 DPF entries. You have some suspicious looking entries there. Anything you need will be re-downloaded on demand later. Then go into C: -> Windows -> Downloaded Program Files, and delete everything in that folder.

Good luck, let us know how it goes.

Dexter...