Options

Home Search Assistant removal

Unknown
edited November 2005 in Spyware & Virus Removal
The following is my scan: What files do I need to remove-and how do I keep them remove? Thanks very much! gmc5@prodigy.net


Logfile of HijackThis v1.99.1
Scan saved at 8:58:28 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\atldg.exe
C:\WINDOWS\msca32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Lloyd\LOCALS~1\Temp\Temporary Directory 7 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfuln.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05DF759A-7AB8-74F8-1007-762880E7156C} - C:\WINDOWS\atlgk.dll
O2 - BHO: Class - {0C09C91F-D6A0-CAF8-74FC-941EE3124F50} - C:\WINDOWS\apiah.dll
O2 - BHO: Class - {5365E277-F1B0-AE0D-5911-5137176007E6} - C:\WINDOWS\appdk.dll
O2 - BHO: (no name) - {A7030A8B-81B1-9908-1971-009E47C24FCA} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D9F9BB90-41F0-23DB-5F55-74ED758D5652} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [9A6.tmp] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
O4 - HKLM\..\Run: [9A7.tmp] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
O4 - HKLM\..\Run: [9A6.tmp.exe] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
O4 - HKLM\..\Run: [9A7.tmp.exe] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
O4 - HKLM\..\Run: [sdkqx32.exe] C:\WINDOWS\system32\sdkqx32.exe
O4 - HKLM\..\Run: [addun.exe] C:\WINDOWS\addun.exe
O4 - HKLM\..\Run: [d3cx32.exe] C:\WINDOWS\d3cx32.exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [iehy.exe] C:\WINDOWS\iehy.exe
O4 - HKLM\..\Run: [atldg.exe] C:\WINDOWS\atldg.exe
O4 - HKLM\..\Run: [STOPzilla] "" /autorun
O4 - HKLM\..\RunOnce: [mfcir.exe] C:\WINDOWS\system32\mfcir.exe
O4 - HKLM\..\RunOnce: [msca32.exe] C:\WINDOWS\msca32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\RunServices: [Windows Run Services] WindowsRun.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095463574930
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/s/load.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4362/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92D4F1DD-56B0-4BFA-9461-164263E663F0}: NameServer = 216.178.92.98
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Comments

  • IamMrRayIamMrRay Otis, MA
    edited November 2005
    ok... im still new to the whole virus thing cause i never get them...but im going to look now and i'll probably be back in 10 with the steps
  • IamMrRayIamMrRay Otis, MA
    edited November 2005
    wow. guess what man---you coulda just looked in the forums! no prob dude I'll give u the link http://www.short-media.com/forum/showthread.php?p=172774http://www.short-media.com/forum/showthread.php?p=172774
    yea, it has a few methods in there, so just go w/ the flow and read away man I'm gonna to cause I used to have that and I formatted the problem away which wasnt the best option.
  • LeonardoLeonardo Wake up and smell the glaciers Eagle River, Alaska Icrontian
    edited November 2005
    lloyd,

    You are the right place. One of our volunteer specialists will assist you when they have the opportunity. Thanks for seeking us out for assistance.
  • lloyd
    edited November 2005
    Thanks-I will be looking forward to the advice. Thanks again lloyd
  • lloyd
    edited November 2005
    lloyd wrote:
    Thanks-I will be looking forward to the advice. Thanks again lloyd
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2005
    Ouch, this log looks pretty bad.

    Before we begin to remove this infection, I am going to ask you a quick favor. Could you please go to http://virusscan.jotti.org and upload this file: WindowsRun.exe, then post back the results from the scan? This will help to complete SpywareShooter.com's HijackThis Entry Database.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jfuln.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\msn.com
    O2 - BHO: Class - {05DF759A-7AB8-74F8-1007-762880E7156C} - C:\WINDOWS\atlgk.dll
    O2 - BHO: Class - {0C09C91F-D6A0-CAF8-74FC-941EE3124F50} - C:\WINDOWS\apiah.dll
    O2 - BHO: Class - {5365E277-F1B0-AE0D-5911-5137176007E6} - C:\WINDOWS\appdk.dll
    O2 - BHO: (no name) - {A7030A8B-81B1-9908-1971-009E47C24FCA} - (no file)
    O4 - HKLM\..\Run: [9A6.tmp] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
    O4 - HKLM\..\Run: [9A7.tmp] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
    O4 - HKLM\..\Run: [9A6.tmp.exe] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
    O4 - HKLM\..\Run: [9A7.tmp.exe] C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
    O4 - HKLM\..\Run: [sdkqx32.exe] C:\WINDOWS\system32\sdkqx32.exe
    O4 - HKLM\..\Run: [addun.exe] C:\WINDOWS\addun.exe
    O4 - HKLM\..\Run: [d3cx32.exe] C:\WINDOWS\d3cx32.exe
    O4 - HKLM\..\Run: [iehy.exe] C:\WINDOWS\iehy.exe
    O4 - HKLM\..\Run: [atldg.exe] C:\WINDOWS\atldg.exe
    O4 - HKLM\..\RunOnce: [mfcir.exe] C:\WINDOWS\system32\mfcir.exe
    O4 - HKLM\..\RunOnce: [msca32.exe] C:\WINDOWS\msca32.exe
    O4 - HKCU\..\RunServices: [Windows Run Services] WindowsRun.exe
    O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/s/load.exe

    Fix those entries then find and delete the following files:
    C:\WINDOWS\jfuln.dll
    C:\WINDOWS\atlgk.dll
    C:\WINDOWS\apiah.dll
    C:\WINDOWS\appdk.dll
    C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A6.tmp.exe
    C:\DOCUME~1\Lloyd\LOCALS~1\Temp\9A7.tmp.exe
    C:\WINDOWS\system32\sdkqx32.exe
    C:\WINDOWS\addun.exe
    C:\WINDOWS\d3cx32.exe
    C:\WINDOWS\iehy.exe
    C:\WINDOWS\atldg.exe
    C:\WINDOWS\system32\mfcir.exe
    C:\WINDOWS\msca32.exe
    WindowsRun.exe

    Then reboot your computer and post a new log.
Sign In or Register to comment.