HSA Removal - HJT Log Review - PLEASE Help

Unknown

I ran through the steps in HSA removal guide and things just don't seem
to be getting any better. Can someone please review this log for anything that sticks out. Thank you.


Logfile of HijackThis v1.98.2
Scan saved at ?? 12:18:46, on 2004-10-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\appat32.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ieft.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0
e4\update\update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {11BEC0B9-C370-4820-FE14-3C42B32E0875} -
C:\WINDOWS\system32\apitx.dll
O4 - HKLM\..\Run: [appat32.exe] C:\WINDOWS\system32\appat32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows
SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O8 - Extra context menu item: Web Rebates - file://C:\Program
Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

jared

Wow. Your log is almost pure junk. luck you!

Anyways shouldnt be anything we can't handle.
Delete the following (which happens to me most of it):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =res://C:\WINDOWS\system32\pqurn.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\WindowsSyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O8 - Extra context menu item: Web Rebates - file://C:\ProgramFiles\Web_Rebates\Sy1150\Tp1150\scri1150a.htm


To delete WinTools you are going to have to run it in safe mode. Its good to manual delete the WinTools stuff also. In safe mode go to C:\Program Files\Common Files\ and delete the WinTools dir or it has a chance of just coming back.

Make sure and run an updated scan of Adaware after you remove all this so you wont have webrebates just sittin on you pc and stuff.

Good luck with it man.

cheers

SpywareShooter

Also these entries are HSA:
O2 - BHO: (no name) - {11BEC0B9-C370-4820-FE14-3C42B32E0875} -
C:\WINDOWS\system32\apitx.dll
O4 - HKLM\..\Run: [appat32.exe] C:\WINDOWS\system32\appat32.exe

Fix those entries then find and delete the files that Jared pointed out, along with these:
C:\WINDOWS\system32\apitx.dll
C:\WINDOWS\system32\appat32.exe
C:\WINDOWS\ieft.exe

And pull the plug out of your computer. Plug it back in and boot into Safe Mode to delete Windows SyncroAd.

Once you've done that boot back into normal mode and post a new log.

ej744

Thank you very much. It's a friend's PC so I won't be able to try out the fix for couple days. I will certainly let you know the results though.