Options
home search assistant
not a computer wiz, but i know that i have the "home search assistant" on my computer, and i have tried to uninstall it but failed. here's my hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 11:31:33 AM, on 10/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe
C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Graves Mouse\mouse32a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\ntjb.exe
C:\WINDOWS\apimm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\Common Files\Microsoft Shared\Themes\blank
O2 - BHO: Class - {EBC3C207-D6FD-DA37-2B7D-85F249B4D83B} - C:\WINDOWS\system32\apiov.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ietp.exe] C:\WINDOWS\ietp.exe
O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe
O4 - HKLM\..\Run: [ntjb.exe] C:\WINDOWS\ntjb.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Graves Mouse\mouse32a.exe
O4 - HKLM\..\Run: [winod.exe] C:\WINDOWS\winod.exe
O4 - HKLM\..\Run: [sdkgh32.exe] C:\WINDOWS\system32\sdkgh32.exe
O4 - HKLM\..\Run: [mfcos32.exe] C:\WINDOWS\system32\mfcos32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24b05f65e96a65185920/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apimm.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe" service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:31:33 AM, on 10/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe
C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Graves Mouse\mouse32a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\ntjb.exe
C:\WINDOWS\apimm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wntcu.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\Common Files\Microsoft Shared\Themes\blank
O2 - BHO: Class - {EBC3C207-D6FD-DA37-2B7D-85F249B4D83B} - C:\WINDOWS\system32\apiov.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ietp.exe] C:\WINDOWS\ietp.exe
O4 - HKLM\..\Run: [addqg.exe] C:\WINDOWS\system32\addqg.exe
O4 - HKLM\..\Run: [ntjb.exe] C:\WINDOWS\ntjb.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Graves Mouse\mouse32a.exe
O4 - HKLM\..\Run: [winod.exe] C:\WINDOWS\winod.exe
O4 - HKLM\..\Run: [sdkgh32.exe] C:\WINDOWS\system32\sdkgh32.exe
O4 - HKLM\..\Run: [mfcos32.exe] C:\WINDOWS\system32\mfcos32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24b05f65e96a65185920/netzip/RdxIE601.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apimm.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\Rani\Local Settings\Temporary Internet Files\Content.IE5\7X0VO0VN\SFUninstaller[1].exe" service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
0
Comments
Most malware is designed to attack unpatched XP systems - exploiting the available 'holes' - and can bypass third-party protection on an unpatched system. The most that can be done with an unpatched system is put a temporary bandage on it. Your system can potentially be reinfected within minutes of cleaning it.
==
Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
===============
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
===============
Download AboutBuster 5:
http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Update. This will start updating AboutBuster with the latest definition database.
Once it's done updating and you see that dialog, click Ok.
Close AboutBuster.
Reboot into safe mode following the instructions here.
Start AboutBuster and click Begin Removal.
When the scan is done, click Ok.
Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.
Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.