Options
Yet Another Home Search Assistant Problem
Hello everyone,
By the looks how many posts there are just like this, I bet y'all are pretty frustrated with this HSA by now. Me too! This ******** spywares taken a good 2 hours out of my Sunday afternoon. Fortunately, I was able to remove most of the hijack with the removal guide. No more sketchy-looking programs running the background, however the homepage and occassional pop-ups are still there. Currently I just run a shortcut to Google.com on my desktop to by-pass the hack. So I'm able to live with it for now. Just writing to see if anyone could help me get rid of it 100%. Heres my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 2:28:37 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Coffee Bean.bmp:isomc
C:\WINDOWS\netze.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - C:\WINDOWS\netze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntwq.exe] C:\WINDOWS\system32\ntwq.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093150470189
Any help would be great.......also if anyone has any advice on how to prevent HSA again in the future, it would be much appreciated.
By the looks how many posts there are just like this, I bet y'all are pretty frustrated with this HSA by now. Me too! This ******** spywares taken a good 2 hours out of my Sunday afternoon. Fortunately, I was able to remove most of the hijack with the removal guide. No more sketchy-looking programs running the background, however the homepage and occassional pop-ups are still there. Currently I just run a shortcut to Google.com on my desktop to by-pass the hack. So I'm able to live with it for now. Just writing to see if anyone could help me get rid of it 100%. Heres my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 2:28:37 PM, on 9/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Coffee Bean.bmp:isomc
C:\WINDOWS\netze.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - C:\WINDOWS\netze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ntwq.exe] C:\WINDOWS\system32\ntwq.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093150470189
Any help would be great.......also if anyone has any advice on how to prevent HSA again in the future, it would be much appreciated.
0
Comments
It looks like you still have a fake service running. Please refer to Post #2 of the HSA Removal Guide to generate a log of active services. Post it here for review.
You have a few other problems in your log. I will highlight all the items that need to be removed while in Safe Mode:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bestsearch.name/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\htwxd.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestsearch.name/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {708A6730-F9CB-D58D-1A1A-478BEC083EC0} - C:\WINDOWS\netze.dll
O4 - HKLM\..\Run: [ntwq.exe] C
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
So, post an active services log, remove those entries, and stand by for further instructions.
Dexter...