Options
Home search assisstant problem
Hi my name's Cori,
I just got this spyware on my pc (home search assisstant) and wow is it ugly.
From reading the how to in the forums here ive updated and run both ad aware and spybotsd. Ad aware found one file that i quarantined and spybot came up empty. I also tried hsremove but with no luck.
I cant make alot of sense out of my highjack this log file, I would appreciate some help to identify what to fix. Heres me log.
Logfile of HijackThis v1.99.0
Scan saved at 1:29:23 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\d3ey.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\addaf32.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\PROGRAMS\ZoneAlarm\zapro.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
D:\PROGRAMS\Ghost 2003\GhostStartService.exe
D:\PROGRAMS\AVP Pro\avpm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Giblet.INTENT\Desktop\stuff\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "D:\PROGRAMS\AVP Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "D:\PROGRAMS\AVP Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AgeOfCastles_Setup.exe] C:\DOCUME~1\GIBLET~1.INT\Desktop\NEWFOL~1\AGEOFC~1.EXE /r
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\PROGRAMS\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12075e5c7a8b601/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addaf32.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpcc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRAMS\Ghost 2003\GhostStartService.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpm.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I also did one in safe mode.
Logfile of HijackThis v1.99.0
Scan saved at 1:38:39 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Giblet.INTENT\Desktop\stuff\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "D:\PROGRAMS\AVP Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "D:\PROGRAMS\AVP Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AgeOfCastles_Setup.exe] C:\DOCUME~1\GIBLET~1.INT\Desktop\NEWFOL~1\AGEOFC~1.EXE /r
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\PROGRAMS\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12075e5c7a8b601/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addaf32.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpcc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRAMS\Ghost 2003\GhostStartService.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpm.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I just got this spyware on my pc (home search assisstant) and wow is it ugly.
From reading the how to in the forums here ive updated and run both ad aware and spybotsd. Ad aware found one file that i quarantined and spybot came up empty. I also tried hsremove but with no luck.
I cant make alot of sense out of my highjack this log file, I would appreciate some help to identify what to fix. Heres me log.
Logfile of HijackThis v1.99.0
Scan saved at 1:29:23 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\d3ey.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\addaf32.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\PROGRAMS\ZoneAlarm\zapro.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
D:\PROGRAMS\Ghost 2003\GhostStartService.exe
D:\PROGRAMS\AVP Pro\avpm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Giblet.INTENT\Desktop\stuff\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "D:\PROGRAMS\AVP Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "D:\PROGRAMS\AVP Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AgeOfCastles_Setup.exe] C:\DOCUME~1\GIBLET~1.INT\Desktop\NEWFOL~1\AGEOFC~1.EXE /r
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\PROGRAMS\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12075e5c7a8b601/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addaf32.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpcc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRAMS\Ghost 2003\GhostStartService.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpm.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I also did one in safe mode.
Logfile of HijackThis v1.99.0
Scan saved at 1:38:39 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Giblet.INTENT\Desktop\stuff\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "D:\PROGRAMS\AVP Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "D:\PROGRAMS\AVP Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AgeOfCastles_Setup.exe] C:\DOCUME~1\GIBLET~1.INT\Desktop\NEWFOL~1\AGEOFC~1.EXE /r
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\PROGRAMS\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12075e5c7a8b601/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addaf32.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpcc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRAMS\Ghost 2003\GhostStartService.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - D:\PROGRAMS\AVP Pro\avpm.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
0
Comments
Hi! and welcome to the Short-Media forums
===============
Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.
===============
Go to www.trendmicro.com, and then:
1. Click "Free Online Scan".
2. Click "Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
===============
Download CWShredder 2.14 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
===============
Download, unzip to your desktop About:Buster and run it, then:
1. Click "Update".
2. Click "Check For Update"
(If no new version is available, skip to step #4.)
3. Click "Download Update", and wait for it to be installed.
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Click "Yes", to shutdown any IE session currently open.
(Wait for the about:blank scan to complete.)
6. Click "Ok", to scan once more.
7. Click "Yes", to shutdown any IE sessions currently open.
8. Click "Yes", to begin the second pass.
9. Click "Save log", and post this log back along with your new log.
10. Click "Exit".
11. Click "Exit".
12. "Reboot"..
===============
Next, Open a command prompt by:
1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).
-
Now, locate and 'stop' the following services, if present:
Remote Procedure Call (RPC) Helper ... (C:\WINDOWS\addaf32.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\system32\d3ey.exe
C:\WINDOWS\addaf32.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Now, let's open a command prompt by going to the start menu and then select 'Run'.
In the box that pops up type in 'cmd'. The command prompt will open.
OR
You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u ipua.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vxgam.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12...ip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\addaf32.exe
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"
files...
C:\WINDOWS\system32\d3ey.exe
C:\WINDOWS\addaf32.exe
C:\WINDOWS\vxgam.dll
C:\WINDOWS\system32\ipua.dll
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
After rebooting your PC, post back a new log and let me know how everything goes.
-
crunchie.
I couldnt get my system scaned online at all, i even turned off zone alarm to see if that was causing probs. Downloaded and ran cws.
Wasnt able to kill addaf32.exe with hjt, but did delete it in safe mode. heres me log files.
Logfile of HijackThis v1.99.1
Scan saved at 2:37:58 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
D:\PROGRAMS\AVP Pro\avpcc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTSvcCDA.exe
D:\PROGRAMS\Ghost 2003\GhostStartService.exe
D:\PROGRAMS\AVP Pro\avpm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\addaf32.exe
C:\Documents and Settings\Giblet.INTENT\Desktop\anti tools\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B30935E5-0AC7-9FEE-68F6-CDED9E405F57} - C:\WINDOWS\system32\appim32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "D:\PROGRAMS\AVP Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "D:\PROGRAMS\AVP Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\PROGRAMS\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12075e5c7a8b601/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addaf32.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - D:\PROGRAMS\AVP Pro\avpcc.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRAMS\Ghost 2003\GhostStartService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - D:\PROGRAMS\AVP Pro\avpm.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Scanned at: 8:47:18 PM on: 4/23/2005
-- Scan 1
About:Buster Version 4.0
Reference List : 25
No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 25
No ADS found on system
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Scanned at: 2:29:19 PM on: 4/24/2005
-- Scan 1
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Removed 3 Random Key Entries
Removed! : C:\WINDOWS\System32\evoni.dat
Removed! : C:\WINDOWS\System32\jumvd.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 26
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Well when i rebooted my browser went to google australia, and only the best pop up appeared.
===============
Open a command prompt by:
1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).
-
Now, locate and 'stop' the following services, if present:
Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINDOWS\addaf32.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\addaf32.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B30935E5-0AC7-9FEE-68F6-CDED9E405F57} - C:\WINDOWS\system32\appim32.dll
O4 - HKLM\..\Run: [d3ey.exe] C:\WINDOWS\system32\d3ey.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17ece12...ip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\addaf32.exe
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"
files...
C:\WINDOWS\addaf32.exe
C:\WINDOWS\system32\appim32.dll
C:\WINDOWS\system32\d3ey.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
Try this scan at Panda and see if that works.
===============
After rebooting your PC, post back a new log and let me know how everything goes.
-
crunchie.
from your last post i was able to figure it out, but it took at bit more to get rid of this nasty thing, after about 4 attempts on my own in safe mode and using hsremove i managed to kill it (hopefully) i used norton to get rid of some virus's i had but it conflicted with another anti virus program i had installed