Options
Please I need help to remove home search assistant
Hello, please can someone help me. I tried to follow this sites instructions to remove HSA. I did a scan on Ad-Aware and SpyBot Search and Destroy. I downloaded Hijackthis and saved the log. I proceeded to the next step which was to RUN 'services.msc', but an error message appeared. Below is my hijackthis log. Any help to remove HSA would be greatly appreciated. Thanks alot.
Logfile of HijackThis v1.98.2
Scan saved at 3:48:49 p.m., on 28/09/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\MSMF32.EXE
C:\WINDOWS\SYSTEM\ADDSR32.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\NTIM.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\SYSTEM\APIQX.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\NTOG.EXE
C:\WINDOWS\D3AG.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\WINFT.EXE
C:\WINDOWS\SYSTEM\SDKJH32.EXE
C:\WINDOWS\SYSTEM\SDKHD.EXE
C:\WINDOWS\SYSTEM\MFCEU32.EXE
C:\WINDOWS\SYSTEM\SYSDE32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSFLG32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\SYSTEM\AOLQJB.EXE
C:\WINDOWS\MFCOO.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\MFCKF32.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\APINS.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F1 - win.ini: run=c:\windows\system\sysflg32.exe
O2 - BHO: Class - {DCEE8800-2FBE-7C0E-0282-B75592A45AE8} - C:\WINDOWS\SYSTEM\MFCBX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [gvhsxmqodj] C:\WINDOWS\SYSTEM\aolqjb.exe
O4 - HKLM\..\Run: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [APIQX.EXE] C:\WINDOWS\SYSTEM\APIQX.EXE
O4 - HKLM\..\RunServices: [NTOG.EXE] C:\WINDOWS\NTOG.EXE
O4 - HKLM\..\RunServices: [SDKJH32.EXE] C:\WINDOWS\SYSTEM\SDKJH32.EXE
O4 - HKLM\..\RunServices: [NTIM.EXE] C:\WINDOWS\NTIM.EXE
O4 - HKLM\..\RunServices: [APIDN32.EXE] C:\WINDOWS\APIDN32.EXE
O4 - HKLM\..\RunServices: [APIZC.EXE] C:\WINDOWS\APIZC.EXE
O4 - HKLM\..\RunServices: [SYSWH.EXE] C:\WINDOWS\SYSTEM\SYSWH.EXE
O4 - HKLM\..\RunServices: [MFCEU32.EXE] C:\WINDOWS\SYSTEM\MFCEU32.EXE
O4 - HKLM\..\RunServices: [MSMF32.EXE] C:\WINDOWS\MSMF32.EXE
O4 - HKLM\..\RunServices: [ADDSR32.EXE] C:\WINDOWS\SYSTEM\ADDSR32.EXE
O4 - HKLM\..\RunServices: [MSER.EXE] C:\WINDOWS\SYSTEM\MSER.EXE
O4 - HKLM\..\RunServices: [D3AG.EXE] C:\WINDOWS\D3AG.EXE
O4 - HKLM\..\RunServices: [WINFT.EXE] C:\WINDOWS\WINFT.EXE
O4 - HKLM\..\RunServices: [SYSDE32.EXE] C:\WINDOWS\SYSTEM\SYSDE32.EXE
O4 - HKLM\..\RunServices: [SDKHD.EXE] C:\WINDOWS\SYSTEM\SDKHD.EXE
O4 - HKLM\..\RunServices: [Sysflg32] c:\windows\system\sysflg32.exe
O4 - HKLM\..\RunServices: [MFCKF32.EXE] C:\WINDOWS\MFCKF32.EXE
O4 - HKLM\..\RunServices: [IELO32.EXE] C:\WINDOWS\SYSTEM\IELO32.EXE
O4 - HKLM\..\RunServices: [APINS.EXE] C:\WINDOWS\APINS.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uukfunna.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nz/nz/games9.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
Logfile of HijackThis v1.98.2
Scan saved at 3:48:49 p.m., on 28/09/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\MSMF32.EXE
C:\WINDOWS\SYSTEM\ADDSR32.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\NTIM.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\SYSTEM\APIQX.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\NTOG.EXE
C:\WINDOWS\D3AG.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\WINFT.EXE
C:\WINDOWS\SYSTEM\SDKJH32.EXE
C:\WINDOWS\SYSTEM\SDKHD.EXE
C:\WINDOWS\SYSTEM\MFCEU32.EXE
C:\WINDOWS\SYSTEM\SYSDE32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSFLG32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\SYSTEM\AOLQJB.EXE
C:\WINDOWS\MFCOO.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\MFCKF32.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\APINS.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F1 - win.ini: run=c:\windows\system\sysflg32.exe
O2 - BHO: Class - {DCEE8800-2FBE-7C0E-0282-B75592A45AE8} - C:\WINDOWS\SYSTEM\MFCBX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O4 - HKLM\..\Run: [gvhsxmqodj] C:\WINDOWS\SYSTEM\aolqjb.exe
O4 - HKLM\..\Run: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [APIQX.EXE] C:\WINDOWS\SYSTEM\APIQX.EXE
O4 - HKLM\..\RunServices: [NTOG.EXE] C:\WINDOWS\NTOG.EXE
O4 - HKLM\..\RunServices: [SDKJH32.EXE] C:\WINDOWS\SYSTEM\SDKJH32.EXE
O4 - HKLM\..\RunServices: [NTIM.EXE] C:\WINDOWS\NTIM.EXE
O4 - HKLM\..\RunServices: [APIDN32.EXE] C:\WINDOWS\APIDN32.EXE
O4 - HKLM\..\RunServices: [APIZC.EXE] C:\WINDOWS\APIZC.EXE
O4 - HKLM\..\RunServices: [SYSWH.EXE] C:\WINDOWS\SYSTEM\SYSWH.EXE
O4 - HKLM\..\RunServices: [MFCEU32.EXE] C:\WINDOWS\SYSTEM\MFCEU32.EXE
O4 - HKLM\..\RunServices: [MSMF32.EXE] C:\WINDOWS\MSMF32.EXE
O4 - HKLM\..\RunServices: [ADDSR32.EXE] C:\WINDOWS\SYSTEM\ADDSR32.EXE
O4 - HKLM\..\RunServices: [MSER.EXE] C:\WINDOWS\SYSTEM\MSER.EXE
O4 - HKLM\..\RunServices: [D3AG.EXE] C:\WINDOWS\D3AG.EXE
O4 - HKLM\..\RunServices: [WINFT.EXE] C:\WINDOWS\WINFT.EXE
O4 - HKLM\..\RunServices: [SYSDE32.EXE] C:\WINDOWS\SYSTEM\SYSDE32.EXE
O4 - HKLM\..\RunServices: [SDKHD.EXE] C:\WINDOWS\SYSTEM\SDKHD.EXE
O4 - HKLM\..\RunServices: [Sysflg32] c:\windows\system\sysflg32.exe
O4 - HKLM\..\RunServices: [MFCKF32.EXE] C:\WINDOWS\MFCKF32.EXE
O4 - HKLM\..\RunServices: [IELO32.EXE] C:\WINDOWS\SYSTEM\IELO32.EXE
O4 - HKLM\..\RunServices: [APINS.EXE] C:\WINDOWS\APINS.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uukfunna.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nz/nz/games9.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
0
Comments
The HSA Removal Guide only covers Win 2000 and XP. There is a different method for Win 95/98/ME which we have not put in a guide format yet. Your infection is pretty deep, so the fixes are going to take some time, and it may take us a few rounds worth of fixes to get them all. You are going to want to print these instructions out for easy reference.
Here is what you need to do:
Download the program Killbox from our Security downloads page (link in my signtaure.) Unzip it to it's own folder. Run the program. In the bottom right hand corner you will see a drop-down box labelled (System Process.) Drop that down, and select the follwing processes, if they are active, one at a time:
SSDPSRV.EXE
MSMF32.EXE
ADDSR32.EXE
APIZC.EXE
NTIM.EXE
SYSWH.EXE
APIQX.EXE
MSER.EXE
NTOG.EXE
D3AG.EXE
APIDN32.EXE
WINFT.EXE
SDKJH32.EXE
SDKHD.EXE
MFCEU32.EXE
SYSDE32.EXE
SYSFLG32.EXE
WINUPDT.EXE
MFCOO.EXE
WINKA.EXE
APIZC.EXE
SYSWH.EXE
APIDN32.EXE
MFCKF32.EXE
APIDN32.EXE
IELO32.EXE
MSER.EXE
APINS.EXE
IELO32.EXE
Once you have selected each file name, click the yellow triangle with the ! inside it to end that process.
Next, at the top of the window, use the folder icon to browse to each of these files one at a time:
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\MSMF32.EXE
C:\WINDOWS\SYSTEM\ADDSR32.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\NTIM.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\SYSTEM\APIQX.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\NTOG.EXE
C:\WINDOWS\D3AG.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\WINFT.EXE
C:\WINDOWS\SYSTEM\SDKJH32.EXE
C:\WINDOWS\SYSTEM\SDKHD.EXE
C:\WINDOWS\SYSTEM\MFCEU32.EXE
C:\WINDOWS\SYSTEM\SYSDE32.EXE
C:\WINDOWS\SYSTEM\SYSFLG32.EXE
C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
C:\WINDOWS\MFCOO.EXE
C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
C:\WINDOWS\APIZC.EXE
C:\WINDOWS\SYSTEM\SYSWH.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\MFCKF32.EXE
C:\WINDOWS\APIDN32.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
C:\WINDOWS\SYSTEM\MSER.EXE
C:\WINDOWS\APINS.EXE
C:\WINDOWS\SYSTEM\IELO32.EXE
For each one, check off "end Explore shell while killing file" and press the red X button to delete each file. If that does not delete it, mark the file for "delete on reboot." Do not reboot after each file, we will do that once at the end when you have selected them all individually.
Then browse to:
C:\WINDOWS\zqmab.dll
C:\WINDOWS\SYSTEM\MFCBX.DLL
and select it. Turn on the option "unregister dll before deleting." Then delete it. If that does not delete it, mark the file for "delete on reboot."
Then remove the entries in HJT which match up to those file names:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zqmab.dll/sp.html#29126
R3 - Default URLSearchHook is missing
F1 - win.ini: run=c:\windows\system\sysflg32.exe
O2 - BHO: Class - {DCEE8800-2FBE-7C0E-0282-B75592A45AE8} - C:\WINDOWS\SYSTEM\MFCBX.DLL
O4 - HKLM\..\Run: [gvhsxmqodj] C:\WINDOWS\SYSTEM\aolqjb.exe
O4 - HKLM\..\Run: [MFCOO.EXE] C:\WINDOWS\MFCOO.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [APIQX.EXE] C:\WINDOWS\SYSTEM\APIQX.EXE
O4 - HKLM\..\RunServices: [NTOG.EXE] C:\WINDOWS\NTOG.EXE
O4 - HKLM\..\RunServices: [SDKJH32.EXE] C:\WINDOWS\SYSTEM\SDKJH32.EXE
O4 - HKLM\..\RunServices: [NTIM.EXE] C:\WINDOWS\NTIM.EXE
O4 - HKLM\..\RunServices: [APIDN32.EXE] C:\WINDOWS\APIDN32.EXE
O4 - HKLM\..\RunServices: [APIZC.EXE] C:\WINDOWS\APIZC.EXE
O4 - HKLM\..\RunServices: [SYSWH.EXE] C:\WINDOWS\SYSTEM\SYSWH.EXE
O4 - HKLM\..\RunServices: [MFCEU32.EXE] C:\WINDOWS\SYSTEM\MFCEU32.EXE
O4 - HKLM\..\RunServices: [MSMF32.EXE] C:\WINDOWS\MSMF32.EXE
O4 - HKLM\..\RunServices: [ADDSR32.EXE] C:\WINDOWS\SYSTEM\ADDSR32.EXE
O4 - HKLM\..\RunServices: [MSER.EXE] C:\WINDOWS\SYSTEM\MSER.EXE
O4 - HKLM\..\RunServices: [D3AG.EXE] C:\WINDOWS\D3AG.EXE
O4 - HKLM\..\RunServices: [WINFT.EXE] C:\WINDOWS\WINFT.EXE
O4 - HKLM\..\RunServices: [SYSDE32.EXE] C:\WINDOWS\SYSTEM\SYSDE32.EXE
O4 - HKLM\..\RunServices: [SDKHD.EXE] C:\WINDOWS\SYSTEM\SDKHD.EXE
O4 - HKLM\..\RunServices: [Sysflg32] c:\windows\system\sysflg32.exe
O4 - HKLM\..\RunServices: [MFCKF32.EXE] C:\WINDOWS\MFCKF32.EXE
O4 - HKLM\..\RunServices: [IELO32.EXE] C:\WINDOWS\SYSTEM\IELO32.EXE
O4 - HKLM\..\RunServices: [APINS.EXE] C:\WINDOWS\APINS.EXE
Do this in regular mode first. If it does not work, try it in Safe Mode, except that the exe will probably not be running as a system process in safe mode, so all you will need to do is delete it.
I also want you to fix the following bad entries:
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
(Incredimail is known spyware / adware. Uninstall it.)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=49e422e7968751004a7c475f91f16bf5704ecd078aae7d3982a3508206fdc37f677f5429ee732a811e3c55f70527c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\uukfunna.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nz/nz/games9.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx[/QUOTE]
Next, manually locate the exe and dll files in the entries above, and quarantine them. If you cannot move or rename the files, reboot into Safe Mode and try again.
Then, go into C: -> Windows -> Downloaded Program Files, and delete everything in there. Anything you really need will be re-downloaded on demand when you visit the website that needs them. Some of those 016 DPF entries in your HJT log are installer files for malware.
Let us know how that works, post another log for review.
Dexter...