Options

Help removing Search Assistant

Unknown
edited December 2004 in Spyware & Virus Removal
I have followed the directions I found on ShortMedia (twice) for removing Search Assistant and it is still there. I am copying the results of my HJT scan. If someone could look at it and tell me what I need to delete, I will be so grateful....I am so frustrated!

Below is the list of my HJT scan:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sjice.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sjice.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sjice.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sjice.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Owner\LOCALS~1\Temp\mocsp.dat
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {A52C7D9D-ECE6-E7DB-4A98-9F196536545A} - C:\WINDOWS\sysdc.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintsc32.exe
O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [*dbbak] C:\WINDOWS\java\dbbak.exe
O4 - HKLM\..\Run: [*vssftp] C:\WINDOWS\java\Packages\vssftp.exe
O4 - HKLM\..\Run: [*vblog] C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\vblog.exe
O4 - HKLM\..\Run: [*pscom] C:\WINDOWS\Web\pscom.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [*inetac] C:\WINDOWS\Config\inetac.exe
O4 - HKLM\..\Run: [msza32.exe] C:\WINDOWS\system32\msza32.exe
O4 - HKLM\..\RunOnce: [*pscom] C:\WINDOWS\Web\pscom.exe rerun
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Warss] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=c4d72af4b1ef8b2eb240e10c04154a6077e11a0cd9b1a5d3dbd0d06a4d624b0cf871aade7b3625839d3dbd23e4c6ad417080cbeb:63a4e540e01bb8f02daf18125256447f
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100309250906
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/download/PerformerSetup.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Comments

  • Becky Linville
    edited November 2004
    Can anyone PLEASE help me? I have spent about 15 hours this weekend trying to remove Search Assistant. Please look at my HJT list in the previous post. I don't know what else to do. I will greatly appreciate any help anyone can give me.
  • Becky Linville
    edited November 2004
    I am confused. I first posted my Search Assistant problem a couple of days ago, but still have no reply. I've noticed that others with virturally the same problem have had replies and were able to fix their problems. Am I doing something wrong? I am not a discussion board or chat room user, so maybe I am not doing this correctly....????
  • RADARADA Apple Valley, CA Member
    edited November 2004
    Hi Becky,

    Sorry we haven't got back to you sooner, busy time of year for all of us.

    OK, I see your log, but I want to know if you walked through the Search Assistant Removal instructions posted at the top of the Spyware Forums Area?

    Here's the link, it looks more intimidating than it is. Walk through these instructions, if you have any questions, PM me, I'll step you through them. We'll get you cleaned up ASAP.

    Search Assistant Removal Instructions

    RADA
  • Becky Linville
    edited November 2004
    Yes, I have gone through the Search Assistant removal process I found on the short-media web site....at least 3 times. I obviously don't quite know what to delete.

    And thanks so much for looking at my problem. I am ready to throw my PC out the window. I used to be a mainframe programmer, so you would think I might not be too technically challenged...but....
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2004
    Please post your new log.
  • RADARADA Apple Valley, CA Member
    edited November 2004
    OK Girl, let's see if we can't whup up on this trojan. :D

    I'm going to explain things in REALLY basic terms, not trying to belittle your PC skills in any way, just want to make sure we're talking from the same page.

    You need to make a folder for a group of Spyware removal tools you'll have to download.

    Here's the link to the S-M Spyware Removal Page - LINK

    You need CWShredder, OmegaKillerSM, & KillBox - Download these and extract them.

    OK, boot your computer in Safe Mode.

    Run the Spyware tools we downloaded earlier.

    Goto C:\Program Files and look through this folder, there are probably a lot of folders you can delete from here. You'll be looking for stuff like "Search Assistant", "Toolbar" If it doesn't have a name you recognize, post the folder name here and I'll let you know if you can kill it.

    NEXT: While still in Safe Mode, run HJT again, here's what you can delete:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sjice.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sjice.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sjice.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sjice.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing

    O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Owner\LOCALS~1\Temp\mocsp.dat
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {A52C7D9D-ECE6-E7DB-4A98-9F196536545A} - C:\WINDOWS\sysdc.dll Always delete BHOs with no name

    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe - IBIS Toolbar hijacker - KILL IT!

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain - WildTangent advertising spyware - KILL IT!

    O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintsc32.exe - EliteBar Adware

    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe - Windupdates Adware Variant

    O4 - HKLM\..\Run: [*inetac] C:\WINDOWS\Config\inetac.exe - Adware -

    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
    Did you install this? If so, never mind, if not remove it.

    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe - Adware Button, Kill it.

    O4 - HKCU\..\Run: [Warss] C:\WINDOWS\System32\??oolsv.exe - Spyware -

    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe - More Spyware -

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) - If you didn't install weather bug software, or you don't use it, Remove it thru the control panel

    If you didn't personally add these websites to your trusted list, KILL THEM!!

    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com

    This stuff too:

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...daf18125256447f
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1100309250906
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab

    O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} (MNPerformer Class) - http://download.newaol.com/bkpromo/...formerSetup.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    That's a start, we'll probably need to do this a couple times to completely clean your system.

    RADA
  • Becky Linville
    edited November 2004
    Okay, RADA, I think you are right. This may take several attempts. After downloading the recommended spyware killers, I ran them in Safe Mode. Then I deleted some Program Files. I do have a couple of questions on that. Do you know what BackWeb is? How about WildTangent? I did install PopUpStopper about a year ago. I hated it and disabled it, but had not bothered to delete it. I did that today. After deleting everything you listed, I rebooted and again reran HJT. I noticed that I ran a scan and still had a lot of the things I had deleted while I was in Safe Mode, so I deleted them again. When I scanned again a few of them still showed up. Then I ran another scan and a lot of them showed up. What's up with that?

    I sent the post previous to this one while I was at work. I am going to bed now, disconnecting from the Internet, so I will check tomorrow. Thanks so much for your time and trying to help me. I feel like I have some hope now. Anyway, here is my latest scan:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:49:56 PM, on 11/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    c:\program files\comcast\security manager\app\PRISM.EXE
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\yayyyy.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\Web\pscom.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\Owner\Application Data\wtta.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\t?skmgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
    O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Owner\LOCALS~1\Temp\mocsp.dat
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
    O4 - HKLM\..\Run: [*dbbak] C:\WINDOWS\java\dbbak.exe
    O4 - HKLM\..\Run: [*vssftp] C:\WINDOWS\java\Packages\vssftp.exe
    O4 - HKLM\..\Run: [*vblog] C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\vblog.exe
    O4 - HKLM\..\Run: [*pscom] C:\WINDOWS\Web\pscom.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
    O4 - HKLM\..\Run: [msza32.exe] C:\WINDOWS\system32\msza32.exe
    O4 - HKLM\..\Run: [crlz32.exe] C:\WINDOWS\system32\crlz32.exe
    O4 - HKLM\..\Run: [atldr32.exe] C:\WINDOWS\system32\atldr32.exe
    O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\RunOnce: [*pscom] C:\WINDOWS\Web\pscom.exe rerun
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Jeokhiu] C:\WINDOWS\System32\t?skmgr.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
  • RADARADA Apple Valley, CA Member
    edited November 2004
    Well, your machine is cleaner than it used to be. :D We're making progress!

    I'm in class right now so give me till tomorrow to really look at what you have left on your machine.

    Your machine is really infected, so it will take time. I'll see if one of the other guys can help you too.

    *EDIT

    Get rid of WildTangent & BackWeb too, they're garbage.
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited November 2004
    Delete these in safe mode.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: CATLEvents Object - {30279F2D-1A38-4785-97D4-5C3508BDB289} - C:\DOCUME~1\Owner\LOCALS~1\Temp\mocsp.dat
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [*vssftp] C:\WINDOWS\java\Packages\vssftp.exe
    O4 - HKLM\..\Run: [*vblog] C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System \vblog.exe
    O4 - HKLM\..\Run: [*pscom] C:\WINDOWS\Web\pscom.exe
    O4 - HKLM\..\Run: [msza32.exe] C:\WINDOWS\system32\msza32.exe
    O4 - HKLM\..\Run: [crlz32.exe] C:\WINDOWS\system32\crlz32.exe
    O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\RunOnce: [*pscom] C:\WINDOWS\Web\pscom.exe rerun
    O4 - HKCU\..\Run: [Jeokhiu] C:\WINDOWS\System32\t?skmgr.exe
  • Becky Linville
    edited November 2004
    To all of you who are trying to help me....THANKS.

    I have a class after work tonight, so it won't be that I'm ignoring you. I just won't get to work on this until later tonight. I'll let you know how it goes...
  • Becky Linville
    edited December 2004
    RADA...

    Sorry, I have not replied to let you know the results of your help. I was desparate to remove Search Assistant, and then I did nothing for days. Go figure. Actually, I was really busy, with spouse out of town, classes at night, kid to help with homework, homework of my own. I apologize. I really appreciate your help. So, all that said, here is my log after removing the last bunch of junk:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oufnh.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oufnh.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oufnh.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oufnh.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oufnh.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {CC736B40-8144-5D9C-A826-91485E5E97D8} - C:\WINDOWS\system32\apifq32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
    O4 - HKLM\..\Run: [*dbbak] C:\WINDOWS\java\dbbak.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
    O4 - HKLM\..\Run: [atldr32.exe] C:\WINDOWS\system32\atldr32.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    Again, I appreciate any insights.
  • Becky Linville
    edited December 2004
    I can't believe I've done this wice already. I pressed send too fast (twice??) Please ignore the last two entries. What I meant to say was this:

    I went ahead and removed some files using Hijacker. BEFORE (this part said after in the last 2 entries) removing files, this is what I had:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pivut.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
    O2 - BHO: (no name) - {9B261FA6-9B63-5063-797E-458D1EEA0124} - C:\WINDOWS\mswd32.dll
    O2 - BHO: (no name) - {C205AD1F-5837-3BB8-0CEB-F323397174D6} - C:\WINDOWS\system32\cryb32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    Then, I immediately ran another hijack log. Here is what I had:

    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
    O2 - BHO: (no name) - {9B261FA6-9B63-5063-797E-458D1EEA0124} - C:\WINDOWS\mswd32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
    O4 - HKLM\..\Run: [*dbbak] C:\WINDOWS\java\dbbak.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
    O4 - HKLM\..\Run: [atldr32.exe] C:\WINDOWS\system32\atldr32.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?

    And then, without doing anything, I ran hijack again and many of the files I had deleted were back. Here is the latest file:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddrnf.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=c:\program files\comcast\security manager\app\SecurityManager.exe
    O2 - BHO: (no name) - {9B261FA6-9B63-5063-797E-458D1EEA0124} - C:\WINDOWS\mswd32.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Security Manager] C:\Program Files\Comcast\Security Manager\app\SecurityManager.exe
    O4 - HKLM\..\Run: [*dbbak] C:\WINDOWS\java\dbbak.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
    O4 - HKLM\..\Run: [atldr32.exe] C:\WINDOWS\system32\atldr32.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file)
    O9 - Extra button: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F4F9BCDE-1254-4AFE-A71B-F4220AB4BDCA} - (no file) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    What am I doing wrong? HELP!
    Yesterday 11:10 AM
Sign In or Register to comment.