Arghh- HSA prob, HJT attached-I'm blonde
:bawling: Hi gurus. For 36 hours I have been trying to get rid of HSA. to no avail. I followed the removal guide to a tee, SIX times (I'm persistent), It keeps coming back. Here's my HJT file after finally going to regular mode (rather than safe mode)
Logfile of HijackThis v1.98.2
Scan saved at 3:10:03 PM, on 11/29/2004
Platform: Windows XP SP1, v.1150 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
E:\DiskeeperServer\DKService.exe
H:\Ghost 2003\GhostStartService.exe
D:\NAV\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\WINDOWS\System32\S3tray2.exe
D:\NAV\navapw32.exe
E:\NoAds\NoAds.exe
F:\roboform\RoboTaskBarIcon.exe
H:\Spy Sweeper\SpySweeper.exe
C:\Program Files\Wacom\TabUserW.exe
D:\PerfectMenu2\pmenu32.exe
C:\WINDOWS\system32\mfcjh.exe
C:\WINDOWS\uzagrk.txt
F:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54351455-EFE9-7EFE-3393-B2622AF47B0F} - C:\WINDOWS\system32\javaxc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\FLASHG~1\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\NAV\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\NAV\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\FLASHG~1\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [piiserviceOE] "H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] D:\NAV\navapw32.exe
O4 - HKLM\..\Run: [mfcjh.exe] C:\WINDOWS\system32\mfcjh.exe
O4 - HKLM\..\RunOnce: [uzagrk.txt] C:\WINDOWS\uzagrk.txt
O4 - HKCU\..\Run: [NoAds] "E:\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [RoboForm] "F:\roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpySweeper] "h:\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PerfectMenu2.lnk = D:\PerfectMenu2\pmenu32.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Atomica... - file:E:\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://F:\roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - F:\FlashGet1\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\FlashGet1\jc_link.htm
O8 - Extra context menu item: Fill Forms &] - file://F:\roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://F:\roboform\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - e:\swfDecompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {57BBF06E-D997-11D3-8997-00104BD12D94} (PCPDiskHealth Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093277655055
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite22/fvlite.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {DFD181E0-5E2F-11CE-A449-00AA004A803D} (Microsoft Forms 2.0 ScrollBar) - http://activex.microsoft.com/activex/controls/mspert10.cab
and my AboutBuster (from when I was in safe mode):
Scanned at: 2:25:42 PM on: 11/29/2004
-- Scan 1
About:Buster Version 4.0
Reference List : 18
ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 18
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
I ran HSremove, aboutbuster, cwshredder, spybot and adaware.
I hope someone can help before I pull all my hair out! THANKS
Logfile of HijackThis v1.98.2
Scan saved at 3:10:03 PM, on 11/29/2004
Platform: Windows XP SP1, v.1150 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
H:\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
E:\DiskeeperServer\DKService.exe
H:\Ghost 2003\GhostStartService.exe
D:\NAV\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe
C:\WINDOWS\System32\S3tray2.exe
D:\NAV\navapw32.exe
E:\NoAds\NoAds.exe
F:\roboform\RoboTaskBarIcon.exe
H:\Spy Sweeper\SpySweeper.exe
C:\Program Files\Wacom\TabUserW.exe
D:\PerfectMenu2\pmenu32.exe
C:\WINDOWS\system32\mfcjh.exe
C:\WINDOWS\uzagrk.txt
F:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {54351455-EFE9-7EFE-3393-B2622AF47B0F} - C:\WINDOWS\system32\javaxc.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\FLASHG~1\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\NAV\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\NAV\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - F:\FLASHG~1\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [piiserviceOE] "H:\Spam Inspector Outlook Express Edition\piiserviceOE.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] D:\NAV\navapw32.exe
O4 - HKLM\..\Run: [mfcjh.exe] C:\WINDOWS\system32\mfcjh.exe
O4 - HKLM\..\RunOnce: [uzagrk.txt] C:\WINDOWS\uzagrk.txt
O4 - HKCU\..\Run: [NoAds] "E:\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [RoboForm] "F:\roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpySweeper] "h:\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PerfectMenu2.lnk = D:\PerfectMenu2\pmenu32.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Atomica... - file:E:\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://F:\roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - F:\FlashGet1\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\FlashGet1\jc_link.htm
O8 - Extra context menu item: Fill Forms &] - file://F:\roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://F:\roboform\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - e:\swfDecompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\roboform\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Yahoo!\Messenger\yhexbmes11072.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - E:\Program Files\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\roboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\FLASHG~1\flashget.exe
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - e:\swfDecompiler\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {57BBF06E-D997-11D3-8997-00104BD12D94} (PCPDiskHealth Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093277655055
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite22/fvlite.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.microsoft.com/activex/controls/agent2/tv_enua.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {DFD181E0-5E2F-11CE-A449-00AA004A803D} (Microsoft Forms 2.0 ScrollBar) - http://activex.microsoft.com/activex/controls/mspert10.cab
and my AboutBuster (from when I was in safe mode):
Scanned at: 2:25:42 PM on: 11/29/2004
-- Scan 1
About:Buster Version 4.0
Reference List : 18
ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 18
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
I ran HSremove, aboutbuster, cwshredder, spybot and adaware.
I hope someone can help before I pull all my hair out! THANKS
0
This discussion has been closed.
Comments
Reboot into Safe Mode.
Show hidden files
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\uojkj.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {54351455-EFE9-7EFE-3393-B2622AF47B0F} - C:\WINDOWS\system32\javaxc.dll
O4 - HKLM\..\Run: [mfcjh.exe] C:\WINDOWS\system32\mfcjh.exe
O4 - HKLM\..\RunOnce: [uzagrk.txt] C:\WINDOWS\uzagrk.txt
O15 - Trusted Zone: *.frame.crazywinnings.com
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\mfcjh.exe
C:\WINDOWS\uzagrk.txt
C:\WINDOWS\system32\javaxc.dll
C:\WINDOWS\system32\uojkj.dll
Open About:Buster
Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run about:Buster once more to make sure everything is ok.
Post the report and a new HijackThis log here so we can how we did.
Wow. thanks so much,,, off to do this now,
Thanks so much for your help!!!