Options

Homesearch Problems, my HJT log, please help

Unknown
edited December 2004 in Spyware & Virus Removal
Hello everyone, I have registered after being unable to find some of the services, so i thought i'd put my startuplist.txt here hoping someone can help me out. i'll attach my current HJT log too, in case someone can point it out straight away just by seeing that. I have run AVG on a full scan, as well as a Spybot full scan and found plenty to delete so far :)

Thanks in advance for the help!

Startuplist.txt from HJT (Could only find the Network Security Service so far)

I will continue to follow up the Homesearch removal guide myself, and if i can resolve the problem by myself i will close/edit this thread :)

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Can you paste your log into the reply rather than attach it? Makes it sooooo much easier :).
  • markgoodway
    edited December 2004
    ok a little update... i continued with the guide from scratch again
    Ad-aware fully up to date - full scan, fixed a few things
    Spybot updated - searched and fixed a few things
    AVG anti-virus up to date - full scan, nothing found

    Hard boot to safe mode, HJT then checked log with previous, all filenames were the same for dodgey looking .dlls "jhpka.dll" in my case, also there was a O2 BHO: (no name) which was "addjy.dll", i fixed these all all others with same name, there was nothing in the RUN entries or RunOnce.

    About:buster next, i think it only found a few things to change...
    Quarantined the leftover C:\Windows\jhpka.dll + C:\Windows\addjy.dll files

    Went into registry, could only find the Net Security Service to delete under
    Services, couldnt find any at all under Enum\Root...

    Cleaned the C: drive
    Hard booted to normal, loaded IE and the about:blank page was actually blank, not the homesearch page :P nice result, reset to google and did some surfing, no pop ups or redirects, closed IE feeling pleased...

    however after the final sweep of HJT the logfile still included the "jhpka.dll" files and the "addjy.dll", although the addjy.dll has in brackets: "file missing".
    If someone replies to this, can they please let me know if my PC is now clean, or if i still have work to do to fully remove it...

    Thanks again in advance for any further help :P

    EDIT-- oops! sorry, itjust looked soo long and irritating in the post, though attachment would be easier lol... here is my latest after carrying out the steps from the removal guide at my current situation:

    Logfile of HijackThis v1.99.0
    Scan saved at 11:09:48, on 22/12/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\AVGANT~1\avgamsvr.exe
    C:\PROGRA~1\AVGANT~1\avgupsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVGANT~1\avgcc.exe
    C:\PROGRA~1\AVGANT~1\avgemc.exe
    C:\Documents and Settings\Mark Goodway\Application Data\fc?e?.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {61ECDB4F-A396-E4D3-5428-0BF75BA8E878} - C:\WINDOWS\addjy.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [T1jtlP8.exe] C:\documents and settings\mark goodway\local settings\temp\T1jtlP8.exe
    O4 - HKLM\..\Run: [hcOQEB4.exe] C:\documents and settings\mark goodway\local settings\temp\hcOQEB4.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGANT~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVGANT~1\avgemc.exe
    O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\Mark Goodway\Application Data\fc?e?.exe
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{38CFA040-76CF-43EF-B7E6-C05C6728BC98}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{38CFA040-76CF-43EF-B7E6-C05C6728BC98}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS3\Services\Tcpip\..\{38CFA040-76CF-43EF-B7E6-C05C6728BC98}: NameServer = 192.168.2.1
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    I reckon you have got it beat :). Just do the following, then reboot a few times, do a bit of surfing and see how it goes. Oh and Get at least service pack 1 for both XP and IE! :Dhttp://windowsupdate.microsoft.com/

    Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jhpka.dll/sp.html#59130
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {61ECDB4F-A396-E4D3-5428-0BF75BA8E878} - C:\WINDOWS\addjy.dll (file missing)

    O4 - HKLM\..\Run: [T1jtlP8.exe] C:\documents and settings\mark goodway\local settings\temp\T1jtlP8.exe
    O4 - HKLM\..\Run: [hcOQEB4.exe] C:\documents and settings\mark goodway\local settings\temp\hcOQEB4.exe
    O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\Mark Goodway\Application Data\fc?e?.exe

    Reboot into safe mode and delete these;

    C:\documents and settings\mark goodway\local settings\temp<----folder contents
    C:\Documents and Settings\Mark Goodway\Application Data\fc?e?.exe<----file

    Hidden files\folders will have to be unhidden.

    Reboot normally.
  • markgoodway
    edited December 2004
    thanks very much for you help, system seems to be doing well after a fair bit of surfing, no problems seem to be occuring :)

    thanks again!
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Cool :). You did all the work :D
Sign In or Register to comment.