Problem Won't Go Away

Unknown
edited July 2005 in Spyware & Virus Removal
I've tried following the explanation with hijack, etc. for getting rid of Assistent adware, but hours later, still there. Can you please assist? Here is my log. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 03:44:55, on 06/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\addem.exe
C:\WINDOWS\syswx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\MICROS~3\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CAP3RSK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\SmartFTP\SmartFTP.exe
C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\yisraelharris\שולחן העבודה\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udbti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udbti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\udbti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\udbti.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\udbti.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udbti.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\udbti.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Proxy.Actcom.net.il:8080
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\yisraelharris\Application Data\Mozilla\Profiles\default\jlza3kcm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\yisraelharris\Application Data\Mozilla\Profiles\default\jlza3kcm.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {4AD1D7DD-5E68-FF69-B9D7-6A0790685425} - C:\WINDOWS\system32\mfcjd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [javaok.exe] C:\WINDOWS\javaok.exe
O4 - HKLM\..\Run: [syswx.exe] C:\WINDOWS\syswx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: AccessRunner DSL.lnk = ?
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Startup: SmartFTP.lnk = ?
O4 - Startup: הפעל את דפדפן Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: סייר Windows.lnk = C:\WINDOWS\explorer.exe
O4 - Startup: קיצור דרך אל ‎Clients.mdb.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Work\Yisrael\Business\Clients.mdb
O4 - Startup: קיצור דרך אל ‎Company.doc.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Work\Yisrael\Company.doc
O4 - Startup: קיצור דרך אל ‎Finance.rtf.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Documents\Finance.rtf
O4 - Startup: קיצור דרך אל ‎Planner.rtf.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Documents\Planner.rtf
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6369B42-3CC8-4610-962D-A9C6A6094EAC}: NameServer = 192.114.47.4 192.114.47.52
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Network Security Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\addem.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Comments

  • yisraelharris
    edited July 2005
    Here is one piece of information: when I run SpySubtract, it finds files and I delete them. But when I try to delete through it Kazaa files, it hangs. I don't know if this is relevant -- I installed Kazaa 18 months ago, and the adware problem happened a few hours ago.
  • The-CriticThe-Critic USA
    edited July 2005
    A lot of adware problems are timely. Suppose you don't access a certain program for that 18 months. Well, that adware could have been waiting for you to activate it through that one program that it was targeting. Time doesn't matter, lets just solve this thing.

    And from the looks of your log, you're going to want to take some small steps first. Go here: http://www.safer-networking.org/en/mirrors/index.html and download spybot from one of the mirror locations. Install it, run it. Post what you find, and then post another hijack log.
  • yisraelharris
    edited July 2005
    Hi. I am in bad shape. I think I am currently the victim of several adwares.

    Syptoms:
    1. Whenever I try to go to google (which I typically do all day long), http://www.oneclicksearches.com/ comes up instead.

    2. I'm getting flooded with popups.

    3. In C:\windows, and especially in c:\windows\system32, every few minutes, new dll and exe files are being created, like ipur32.exe.

    4. I went to run>serves.msc and "Workstation NetLogon Service" is there -- but it won't let me halt or set it to inactive. Gives me a message that I cannot do that.

    5. When I go to my desktop, instead of my usual wallpaper, I get instead a huge black background with a clickable area. When I click on it, I get to antivirus-gold.com. Attempting to change my wallpaper is irrelevant, because my wallpaper settings haven't changed.

    6. I don't know if this is related, but when I attempt to do a disk clean, it stalls at the first step -- calculate amount of space that can be used from C:. After I cancel it, it continues to consume about 95% of CPU until I kill it in task manager.

    Please note that all of this is happening as I speak -- even though I have verified that there are currently no "bad" processes running in task manager.

    Antispyware I currently have installed and have been running over and over:

    1. Spysubtract
    2. Spybot
    3. MS's antispyware
    4. Hijack This
    5. About Buster
    6. Ad Aware

    I have been at this for about 12 hours. Please assist.
  • yisraelharris
    edited July 2005
    Hi!

    Things are much better now. Most of the symptoms are gone: no bogus processes, I can get to google, no popus, no bogus files in C:\windows, shopping assistent gone from list of software, etc. etc.

    HOWEVER --

    1. I am STILL getting the problematic results in HijackThis. They are below. Note that among other things, they refer to C:windows\ujgxy.dll -- this has been the case for the past several reboots -- and there is no such file. What's the story on this?

    2. Also, when I try to a disk cleanup on C:, it still hangs.

    THANKS

    HIJACKTHIS RESULTS:

    Logfile of HijackThis v1.99.1
    Scan saved at 13:14:21, on 07/07/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\PROGRA~1\MICROS~3\MSSQL$~1\binn\sqlservr.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\System32\CAP3RSK.EXE
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\SmartFTP\SmartFTP.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\Program Files\Microsoft Office\Office10\MSACCESS.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\yisraelharris\שולחן העבודה\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Proxy.Actcom.net.il:8080
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\yisraelharris\Application Data\Mozilla\Profiles\default\jlza3kcm.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\yisraelharris\Application Data\Mozilla\Profiles\default\jlza3kcm.slt\prefs.js)
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp648.tmp (file missing)
    O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: AccessRunner DSL.lnk = ?
    O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
    O4 - Startup: SmartFTP.lnk = ?
    O4 - Startup: הפעל את דפדפן Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
    O4 - Startup: סייר Windows.lnk = C:\WINDOWS\explorer.exe
    O4 - Startup: קיצור דרך אל ‎Clients.mdb.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Work\Yisrael\Business\Clients.mdb
    O4 - Startup: קיצור דרך אל ‎Company.doc.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Work\Yisrael\Company.doc
    O4 - Startup: קיצור דרך אל ‎Finance.rtf.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Documents\Finance.rtf
    O4 - Startup: קיצור דרך אל ‎Planner.rtf.lnk = C:\Documents and Settings\yisraelharris\My Documents\Yisrael\Documents\Planner.rtf
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6369B42-3CC8-4610-962D-A9C6A6094EAC}: NameServer = 192.114.47.4 192.114.47.52
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    Please make sure that you can VIEW ALL HIDDEN FILES.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujgxy.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp648.tmp (file missing)
    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
    O4 - Startup: הפעל את דפדפן Internet Explorer.lnk = C:\Program Files\Internet Explorer\iexplore.exe
    O4 - Startup: סייר Windows.lnk = C:\WINDOWS\explorer.exe
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab


    Reboot your computer into SAFE MODE

    Then delete this file:

    C:\WINDOWS\System32\msmsgs.exe


    Reboot your computer to go back to normal mode. Run msconfig and enable all startup items. Reboot your computer once again and post a new hijackthis log.
  • yisraelharris
    edited July 2005
    Thanks. I think I'm okay.

    Actually, after 2-3 hours of clear sailing yesterday, all of a sudden the oneclicksearches.com problem returned! And I got that problem whenever I tried to go to google, yahoo, or most microsoft pages!

    I ultimately followed the instructions here:
    http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html

    That pretty much did the trick. I've been okay for the past 10+ hours.

    I also installed MS's free beta antispyware, and I think that was a significant part of getting rid of the adware. I'm also about to install Windows SP2, which I understand I defnitely should have already installed.

    All together, I spent about 16 HORRIBLE hours on this.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    Good to hear you got it sorted out. :)
This discussion has been closed.