Home Search Assistant HEPLP!!!
After noon folks. I'm in dire need of some help (or a ball bat 
). I've managed to get the home search assitant on my home pc.
I've ran spybot, adaware, hsremove and everything else. I've been through the removal guide here. Excellent guide by the way. That didn't get it though. I could have missed something but i've tried it twice not and can not get it to take.
Here is the hjt log file.
HijackThis v1.99.1
Scan saved at 1:30:08 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\winqa.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\r3proxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
C:\WINDOWS\iejg32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera\Opera.exe
C:\hijackthis\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {7A193F04-BFD4-8A44-1449-091C5B906307} - C:\WINDOWS\system32\appic.dll
O2 - BHO: Class - {827E1FE8-9C39-95A4-CA3E-FEC6A5DF8173} - C:\WINDOWS\sdkwh32.dll (file missing)
O2 - BHO: Class - {A1BDA9E7-0B9F-B869-C13D-878804F6F99E} - C:\WINDOWS\crvq.dll
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [crbs32.exe] C:\WINDOWS\system32\crbs32.exe
O4 - HKLM\..\Run: [59.tmp] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
O4 - HKLM\..\Run: [5A.tmp] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
O4 - HKLM\..\Run: [59.tmp.exe] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
O4 - HKLM\..\Run: [5A.tmp.exe] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
O4 - HKLM\..\Run: [iewi.exe] C:\WINDOWS\system32\iewi.exe
O4 - HKLM\..\Run: [msfg32.exe] C:\WINDOWS\msfg32.exe
O4 - HKLM\..\Run: [syskk32.exe] C:\WINDOWS\syskk32.exe
O4 - HKLM\..\Run: [crgv32.exe] C:\WINDOWS\crgv32.exe
O4 - HKLM\..\Run: [iemp.exe] C:\WINDOWS\iemp.exe
O4 - HKLM\..\Run: [crpu32.exe] C:\WINDOWS\system32\crpu32.exe
O4 - HKLM\..\Run: [wintl.exe] C:\WINDOWS\wintl.exe
O4 - HKLM\..\Run: [sdkui32.exe] C:\WINDOWS\sdkui32.exe
O4 - HKLM\..\Run: [iejg32.exe] C:\WINDOWS\iejg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE12DDA-6D0B-47B9-A84E-DD0C3976ABAC}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winqa.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
If anyone would be so kind as to instruct me what to kill I'd be very appreciative.
Thanks
kevin klick
). I've managed to get the home search assitant on my home pc.I've ran spybot, adaware, hsremove and everything else. I've been through the removal guide here. Excellent guide by the way. That didn't get it though. I could have missed something but i've tried it twice not and can not get it to take.
Here is the hjt log file.
HijackThis v1.99.1
Scan saved at 1:30:08 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\winqa.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\r3proxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
C:\WINDOWS\iejg32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Opera\Opera.exe
C:\hijackthis\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujkfk.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {7A193F04-BFD4-8A44-1449-091C5B906307} - C:\WINDOWS\system32\appic.dll
O2 - BHO: Class - {827E1FE8-9C39-95A4-CA3E-FEC6A5DF8173} - C:\WINDOWS\sdkwh32.dll (file missing)
O2 - BHO: Class - {A1BDA9E7-0B9F-B869-C13D-878804F6F99E} - C:\WINDOWS\crvq.dll
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [crbs32.exe] C:\WINDOWS\system32\crbs32.exe
O4 - HKLM\..\Run: [59.tmp] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
O4 - HKLM\..\Run: [5A.tmp] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
O4 - HKLM\..\Run: [59.tmp.exe] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\59.tmp.exe
O4 - HKLM\..\Run: [5A.tmp.exe] C:\DOCUME~1\KEVINK~1\LOCALS~1\Temp\5A.tmp.exe
O4 - HKLM\..\Run: [iewi.exe] C:\WINDOWS\system32\iewi.exe
O4 - HKLM\..\Run: [msfg32.exe] C:\WINDOWS\msfg32.exe
O4 - HKLM\..\Run: [syskk32.exe] C:\WINDOWS\syskk32.exe
O4 - HKLM\..\Run: [crgv32.exe] C:\WINDOWS\crgv32.exe
O4 - HKLM\..\Run: [iemp.exe] C:\WINDOWS\iemp.exe
O4 - HKLM\..\Run: [crpu32.exe] C:\WINDOWS\system32\crpu32.exe
O4 - HKLM\..\Run: [wintl.exe] C:\WINDOWS\wintl.exe
O4 - HKLM\..\Run: [sdkui32.exe] C:\WINDOWS\sdkui32.exe
O4 - HKLM\..\Run: [iejg32.exe] C:\WINDOWS\iejg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE12DDA-6D0B-47B9-A84E-DD0C3976ABAC}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winqa.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
If anyone would be so kind as to instruct me what to kill I'd be very appreciative.
Thanks
kevin klick
0
This discussion has been closed.
Comments
===============
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
===============
Download AboutBuster 5:
http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Update. This will start updating AboutBuster with the latest definition database.
Once it's done updating and you see that dialog, click Ok.
Close AboutBuster.
Reboot into safe mode following the instructions here.
Start AboutBuster and click Begin Removal.
When the scan is done, click Ok.
Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.
Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Ok did everything as mentioned above. Problem is still occuring
here is the new hjt log
Logfile of HijackThis v1.99.1
Scan saved at 2:52:16 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\r3proxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mfckj.exe
C:\WINDOWS\sdkdf.exe
C:\hijackthis\hijackthis_199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rfsyc.dll/sp.html#17702
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {98CC5AAE-235D-FAA5-55FF-15141C8ADB12} - C:\WINDOWS\mfcaz.dll
O2 - BHO: Class - {C3C3A211-92CE-7D05-4A6A-E146C7063B81} - C:\WINDOWS\iegu32.dll
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Fellowes Proxy] C:\WINDOWS\system32\r3proxy.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [sdkdf.exe] C:\WINDOWS\sdkdf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFE12DDA-6D0B-47B9-A84E-DD0C3976ABAC}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfckj.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
here is the Ewido log
ewido security suite - Scan report
+ Created on: 2:47:19 PM, 12/13/2005
+ Report-Checksum: B210C065
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Karen Klick\Cookies\karen [email]klick@burstnet[2].txt[/email] -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Karen Klick\Cookies\karen [email]klick@data4.perf.overture[2].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Karen Klick\Cookies\karen [email]klick@microsofteup.112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Karen Klick\Cookies\karen [email]klick@www.burstbeacon[2].txt[/email] -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\1.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\2.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\5.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\6.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\7.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\8.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\9.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Karen Klick\Local Settings\Temp\A.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\Kevin Klick\Cookies\kevin [email]klick@www.myaffiliateprogram[2].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\atlso32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB899591.log:hbfns -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB900725.log:ljjys -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB905414.log:phsyu -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\mfcaz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcti.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\ntje.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nxyye.dll -> Adware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\addyw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlov32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crgl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crxd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkja32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdklp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default(3).pif:bpqep -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default(4).pif:bpqep -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default.pif:bpqep -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\_default.pif:fmhqa -> Downloader.Agent.td : Cleaned with backup
::Report End
Thanks for the help so far. Where to next?
Download\'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.
Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.
Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
==
Redo the instructions from my previous post after completing the above.
==
Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.