I'm running 98se and don't seem to have services.msc. Is there an alternative?

0

just picked up this fella today too while browsing a nice low-ad porn site. got a nasty pop-up suprise attack (took alot of Alt-F4's to kill it) by the time the pop-ups were gone the hijack was installed and running. it resets my internet explorer settings and folder settings everytime i run IE, then its got all the old spyware everyone loves but with much better anti-removal code. i cant remove it with anything yet. hopefuly a update will come out soon that can remove it. there is 2 new tasks running on startup for me: javadv32.exe & d3bl32.exe along with many others in the system32 folder that run off and on while using IE. i did a google search on those 2 but no results found. the spyware has control over all my search engines and it might be filtering out keywords that may lead to removing it. if someone else can confirm those 2 tasks related to this hijack then that would be cool. and any help removing it would be great. i want my google back :(

0

windows 98se doesn't have 'processes' exactly so i would just try to delete the files and try using 'msconfig' to make sure the 'Network Securtiy Service' isn't in the win.ini or sys.ini files. as for javadv32.exe & d3bl32.exe although my particular computer didn't have these some others have said that it will add a 32 to the end of some file names. check the date the files were created. if its within the past few days they are probably what you're looking for

0

I went through atomdog420's instructions three times with no luck. Here is my latest hijack this log: Logfile of HijackThis v1.97.7 Scan saved at 9:36:21 PM, on 6/16/2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\system32\cba\pds.exe C:\PROGRA~1\Navnt\npssvc.exe C:\Program Files\SSC\NSCTOP.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\ams_ii\hndlrsvc.exe C:\WINNT\system32\MsgSys.exe C:\WINNT\system32\cba\xfr.exe C:\WINNT\Explorer.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe C:\Program Files\PowerPanel\Program\PcfMgr.exe C:\Program Files\ORiNOCO\Client Manager\CMLUC.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\WINNT\javapv.exe C:\WINNT\msyh32.exe C:\Program Files\Netscape\Netscape 6\Netscp.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hmkra.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmkra.dll/index.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmkra.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hmkra.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hmkra.dll/index.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\hmkra.dll/sp.html#37049 O2 - BHO: (no name) - {600DC967-A702-058C-B505-3E594D9FB029} - C:\WINNT\d3gp.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [msyh32.exe] C:\WINNT\msyh32.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKLM\..\RunOnce: [javapv.exe] C:\WINNT\javapv.exe O4 - HKLM\..\RunOnce: [appsn.exe] C:\WINNT\appsn.exe O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.exe O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

0

atomicdog420 You are God. I followed the instructions, and it worked. Hey, jkloos, try it again. I had to do it twice because I missed some things. Do a windows search of the windows folder and of the system32 folder specifying that the folders be modified today. This will make it easier to identify the things you need to delete.

0

another good way to tell how far back to look for dodgy files is to check the path to executable for "Network Securtiy Service" the date that file was created should be around the date the dodgy files started to appear (mine were about a day or two before that). also if you have to try more than once be sure to disable the 'Network Securtiy Service' everytime as it will reactivate if you don't get all the files.

0

RE: Atomdog420's instructions, I Still no have had no luck. I have tried it four times. It makes sense at every step (meaning there is something meaningful to do), except "regedit". I find no evidence of any values/folders that are related to home search assistent. When I complete the process, the program still shows up in my "add/delete" options.

0

Update: I may have shaken this bug. Using Internet Explorer, I can set my home page and it stays in place. However, the Home Search Assistent still shows in my add/delete list of programs. Is that an issue, or, can it stay there? jk

0

to get the home search assistent out of my add/delete list i had to use regedit and delete all the HSA references. to be sure i got them all i used edit to find 'home' then hit f3 until i found folders that were related to home search assistent or and of the following IEFEATSL.DLL MSIESH.DLL SUBMITHOOK.DLL UNINSTALL.EXE UNINSTALL.INI MSHP.DLL a bit teadious since you go through alot of entries that have 'home' in them but effective

0

atomicdog: endless gratitude for your help in removing home search assistent.....not extremely literate in this sort of stuff, but after following your directions it seems to be taken care of. thanks a million!!!!

0

atomicdog420, thanks much for your help. Greatly appreciated. Unfortunately, I still have the program showing in add/delete. When I run regedit, then search for 'home' under 'edit', I find none of the files you mention. In fact, after deleting just a few items, the search returns nothing at all. Any other ideas? jk

0

Atomic420, you are a right! One try and the bug is gone. Thanks a million!

0

A420 you da man! For others, make sure you search for HSA in the registry as well. Here's an address for a Microsoft article on how to get rid of the add/remove listing. http://support.microsoft.com/default.aspx?kbid=247501 jkloos, these files in your log looked suspicious to me C:\WINNT\javapv.exe C:\WINNT\msyh32.exe If there's no company listed in properties (e.g. if it's not from Microsoft, Creative, etc ) you might want to delete them. I saved to floppy any files that I thought could possibly be legit for reinstallation later.

0

Here's an addy for removing the pesky remaining entries from the startup list in msconfig. http://www.tweakxp.com/tweak202.aspx

0

To, floydthecat and atomicdog, thanks much. I used the instructions at the microsoft site to locate and delete the program, which had a folder name of HSA. Now, it appears to be gone. At start-up, my W2K laptop is lamenting the departure of d3kg32.dll. I suppose I'll find out what that was for, soon enough. But, it's a small price to pay. Thanks again, guys. -JK

0

I had the pervasive little creation of some moron's making and could not eliminate it with any virus software or spyware removal prog. It also messed up my search programs. This put three new apps in my Add/Remove list...Home Search Assistent, Search Extender, and Shopping Wizard. To remove it I kinda got an idea from this forum of what to look for (thanks!!!), ran a 'Find' using the date feature (I had a clear idea of how far back to go because it was hijacking my browser) and found 16 exes, 8 dlls, 28 dats (all in either Windows or Windows/System) and a suspicious folder named 'ieki'. Most files were 5 digit jibberish, but some were longer ie 'ywnyqa.dat'. I highlighted all of them straight from the Find window and used a shredder to delete and wipe (not all were removed!) and went straight to my registry prog to clean out obsolete entries. Ran a new 'Find' and was left with three exes...iexm32.exe, apizo32.exe and ntcj.exe. I had to use an uninstaller (Cybermedia) that cleans the registry at the same time as deleting these files and reboots after each deletion because they were set in start-up (kill first with Ctrl-Alt-Del). You also have to be careful to view what is being deleted because it attached itself to other registry settings, one of which was my virus protection program...I just clicked off the deletion of those particular entries. Last I used 'Your Uninstaller' to 'force' delete the entries in Add/Remove for Home Search Assistent etc and used Spybot S&D to reset entries for seach engines...the bad ones were 'res:\\...dll'. Phew...no more problems or hijacking! PS: I also had a similar file named 'd3ym32.exe, but it's completely gone...all I have left is to reinstall my search program because it was rendered useless.

0

i recently had this, i did a system restore to a point where i never had it, which got rid of it so it wasnt installed, then i deleted all my system restore points, so far it seems to have worked

0

okay, ive tried atomicdog's instructions... over 6 times. each time slowly going thru every little thing trying to find nething suspicious. ive also tried system restoring my computer back 3 months ago. all have not worked. im positive that ive followed the instructions completely and correctly. the only conclusion i have come to is that it must be something that i dont kno is there... in my registry, windows, or windows system32 folder. im really tired of this program. ive spent roughly over 2 hours already doing this damn process over n over. n trying to get things to work... has as company or organization released a patch or exe that will take care of this piece of s--- hijacker please help. running out of options till i just blow away my harddrive. -__=

0

I have this exact same virus, but I am really inexperienced at this sort of manual deletion of spyware, so I am going to post the processes, files and my Hijack This log here. If anyone can suggest which files are suspicious and are safe to delete I would really appreciate it. I really don't want to accidentally delete something my computer needs because I cannot afford to get it fixed. Thanks in advance for all the help so far. Here goes: Processes: d3vw.exe MsPMSPSv.exe NPROTECT.EXE NMSSVC.EXE Navapsvc.exe CTSVCCDA.EXE Nhksrv.exe ccEvtMgr.exe SPOOLSV.EXE SVCHOST.EXE (4 TIMES!) lsass.exe SERVICES.EXE CSRSS.EXE smss.exe In Windows Folder: netbq32 addvn32 apiaq32 javaic sdkik atily sdkwe32 crrl crdf winys mfcix32 itchba.dat afgaxk.dat wkrpkg.dat mmtmrk.dat wkrpk.dat In SYSTEM32 Folder: sysbh32 Nokbnadk crcf d3vw Knciclle.dll surf.dat xgvby.dat I was also going to post my Hijack This log, but some prompt has warned me not to, so I think that's about it. I do have the Prefetch folder and I'm uncertain about what exactly to look for in regedit, but I'm hoping against the odds that some kind soul here can help me out. Thanks in advance.

0

Have read all of the posts to date. Am kind of a computer novice and am a bit nervous about attempting this removal myself, that is if I could even be successful. Considering the potential damage that I could do to my computer is it better to take it in to be fixed by a professional? thanks

0

First, thanks to Atomicdog42 I have followed his instructions and everything has worked correctly, that if, after several attempts. I am going to try to explain my procedure (in case to somebody it is to him useful), although to not being English, my explanations can not be very clear. First, I disconnected my access to Internet. Soon I disabled the ' Network Security Service and disabled also the profile associated to this service (if not, sometimes it starts alone). I erased all the suspicious files, from ' c:\windows', ' c:\windows\system32', ' c:\windows\temp' and ' c:\windows\prefetch'. By assumption, you must have administrator rights to accede to these folders and delete the files. ATTENTION: I found and erase enough suspicious archives with the random 5 letter named (DLL, exe, and dat you case out), PREVIOUS to the date in which I was infected. If my memory doesn’t cheat me, exe files had a size of 29k. In order to be sure that we do not lose any important file, I suggest instead of erasing them, we move them to a diskette from where we will be able to rescue some that it is of the system or some application that we need. However, I let you also know that after cleaning the HD, in the first starting, I received error messages on archives that lacked (atlyv.exe and mfcpd.exe, for example) that disappeared in the second beginning. Also I erased all the archives in folders ' C:\Documents and Settings\(Your User Name) \ Local Settings\Temp' and ' C:\Documents and Settings\(Your User Name)\Local Settings\Temporary Internet Files' (in all my users, since I have several). I do not have ' hijackthis', reason why I did not use it (but I have Ad-Aware that warns me any attempt of modification of the registry) :( I executed ' regedit' and search for all the entrances that made reference to HSA and the files DLL that made the call to the dam Home Page (in my case were ' xkqme.dll' and ' ehgxr.dat', and previously ' aayhp.dat' and wxtel.dll'). After three attempts with partially satisfactory results, at the end I have obtained that HSA even disappears of ' add/delete list programs'. Good luck and thanks a lot.

0

guys, i tried the system restore....it works for me. i hope those people who fallen victim to this hijack program can find one way or another to get rid of this hijack program. Thanks for everyone here for being so supportive.

0

I battled with this for several hours yesterday. Combine suggestgions from Atomicdog42 & phantasm40 to fix this problem. "Your uninstaller" was a HUGE help. 1)Print off or save these instructions, 2)delete all your temp internet files, etc., and close IE 3)disable the network security thing, 4)kill all dodgy processes thru ctrl alt delete and MSconfig (i pretty much killed anything that wasn't critical), 5)run hijackthis and remove anything that you're not positive is legit, 6) delete all the dodgy bats, exes, and dlls from Windows & System 32 (you can't rely on the date created function ... I had some that were listed as a year old), 7) delete everything in your temp and temp int. files, 8) delete the prefetch folder, 9) run regedit and search for HSA, home, SW, shopping, home, SE, and extender ... delete the appropriate folders ... this is very time consuming and you'll prolly have to do it a few times, 10) run "your uninstaller" and remove the programs from your add/remove programs list ... ignore the error message with the link, just move it out of the way and continue with "your uninstaller's" removal process ... you'll have to restart "your uninstaller" once cuz the free version only allows 2 removals at a time ... you may have to play with this a few times to get it to work, but you can get them all off add/remove programs, 11) restart and say a few Hail Mary's.

0

I have this hijacker as well and I have tried the directions several times to remove it. Will anyone be able to write something automated that will remove these? God bless that person! I cant seem to get it off my system yet. Jean

0

Reply #6 from Atomicdog did it for me! I won't outline all the steps cause I worked for 12 hours to get rid of this motherf-cker, but disabling "Network Security Service" was the key. During all of this, it was helpful to have printed out the instructions, and downloaded hijackthis, cwshreder, ad aware, and search & destroy, all ahead of time. That way you minimize your use of IE. Each step of the way, I was running the Search and Destroy protector and checking task manager, cause those suspicious programs can pop up again. The executables I deleted from c:\windows and c:\windows\system32 were not 5 characters long. They were any number of random characters followed by a 32.exe, created this month (june 04), and 9kb in size. Instead of deleting them I put them away in another folder. Probably would have been better to put them on a disk. But all that worked. I been free for 4 hrs so far. Hope my bit of extra into helped you guys. Oh yeah, and I'll admit to where I got the virus .. it was looking at gay porn movies off of gaysicle.com. Of course I can't pinpoint it, cause it was a series of pop ups and then BOOM.. but hello.. HATE CRIME! ;-)

0

My task manager only shows applications running, all processes are hidden and there is no menu bar

0

I'm not sure anyone will be able to automate the process to get rid of this because it looks like the names of ALL the generated files are totally random. We picked it up on our desktop at home when my son says he accidentally clicked on a link he didn't intend to. I worked on it for probably 12 hours Wednesday and Thursday nights before I finally was successful in removing it. I think my son did a whole lot more internet surfing after he picked it up, and by the time I got to looking, it was really wrapped up in our machine. So if it helps anyone here, here are a couple of other things I discovered that might help others. As someone mentioned, this thing comes bundled as a combination of three programs: Home Search Assistent (note the misspelling of 'assistent'), Search Extender and Shopping Wizard. When hunting these in Explorer or regedit, they can be found in folders entitled HSA. SW and SE. You must delete these folders and keys as well. When you are hunting the registry for anything associated with Network Security Service, note that the official name is a little funky. I did a search for _Security and _Service . In these searches, you discover some registry entries that begin "Legacy." You will need to right click on these registry keys and set the permissions to full access to be able to delete these. If you don't, they will regenerate. If you are using XP or Win 2000, don't forget to turn off system restore before you start the process or it will just undo what you have done when you restart

0

I recently was a victim to the Home Search Assistent which had the other two names (Search Extender, Shopping Wizard) under my Add/Remove Programs list. With the help of AtomicDog's post, I was able to combine solve this problem. One problem I still have though, is when I first noticed I had this, I tried uninstalling Internet Explorer and reinstalling only to see that when I reinstalled it, I can no longer get online. I use Windows XP and I have a Cable Modem. I have two other computers on a Router and this is the only one that isn't working anymore. I no longer have any of the three "Home Search Assistent" files in my Add/Remove program list anymore and everything seems to be working fine, I'm just having trouble getting back online. If anyone could give me some pointers, I'd appreciate it. I've checked my Network Connection Settings and everything looks good and it even shows that the connection is established.

0

hello people. After falling victim to this myself..I went to my find files and folder and did a search on all files created on this day .. my goodness I must of deleted about 50 files and they kept on replicating F*** i was running out of patience.. cut a long story short I finally got rid of it...yehhhhh... I went to the control panel to see if it was still there,, and guess what ...??? still there but funny enough when i went to remove it ,,, a message come up saying cant get to this http address.. so being cautious i copied the address and went to the site where it allows you to download the uninstall for this little bugger... copy it exactly as it is case sensitive...good luck guys ... i am freeeeeeeeeeeeeeeeeeeee.. http://www.looking-for.cc/uninstall/HomeSearchAssistant.html

0

The uninstall from foreverabulldog looks promising, but when I download it and try to run it, nothing happens. Any ideas?

0

For those who use Win98, I fust did a restore and the #%$#% Home search ass-is- tent is gone. For those who don't know. To do a restore, reboot, as the system starts tap the F8 key, choose "Command Prompt Only" type in scanreg/restore now hit enter, pick a date well back and restore. This worked for me, I hope it works for you. Troy

0

TO TALLWHITEY I had a similar problem, and it was because after the keys for the webpages were deleted, internet explorer didn't have a homepage to open up. so i kept clicking on the icon and it did nothing. The quick solution I did was to go into AIM and click on a link in my own profile. After IE opened up that link, I was able to go into settings and define a homepage.

0

RE: HSA...this is probably the most malicious thing I've seen in a long time and I'm guessing that to get rid of it, it will depend on your OS...I'm running ME and managed to catch it early enough so that there were only 52 created files, all in either Windows or Windows/System (as per my earlier post), but you have to get them all and any registry settings associated. Just wanted to confirm what Lenny said though...the ones that were most difficult were 3 exes of 9K each. The dats, dlls, exes also were not just 5 characters (although mostly) as another post indicated...they were random with many having the "...32.exe" form. For those who are shaky on regedit, you could try deleting with a shredder (I use BCWipe) and a program that seeks out obsolete registry entries (I use FixIt Utilities) and use them in combination...but kill anything you don't need first with Ctrl-Alt-Del to stop the running malware...it doesn't hurt to disconnect from the net during the process either. Um...one more thing...the low life scums who created this s**t should be connected to my septic tank and have their collective brains injected with crap to see how much they enjoy it.

0

I picked this up 3 days ago and after reading all the posts I dont have enough confidence to get rid of it manually. I plan on doing a System Restore . I have Windows XP with cable modem. Any Suggestions ??

0

This virus has caused me grief for a week! I could not eliminate it with the standard Adaware, Norton anti-virus software. I obtained this pesky POSh!t while surfing for some hot babes, because I'm getting a divorce. Silly me. Atomicdog420 did provide some excellent solutions for this and I used them. Seems to have worked. Now if he could only fix my wife! virus'! Suck!

0

Thank You foreverabulldog, It seems I'm free too. I didn't think the http address could be case sensitive: http://www.looking-for.cc/uninstall/HomeSearchAssistant.html

0

Hi,this thing has been driving me crazy for a few days now,i tried some of your ideas and got a bit lost and gave up. FINALY adaware has an update to get rid of this so go get it. Flash

0

It may be necesary to download the unistallers from this two addresses: http://www.looking-for.cc/uninstall/SearchExtender.html http://www.looking-for.cc/uninstall/ShoppingWizard.html They are both case sensitive too..

0

THANK YOU, T BOY!!! I'd been banging my friggin head against my desktop in angst for days battling this corksucking icehole, when I finally found this tale of tragedy of those who, like me, have tried in vain to slash and burn the onslaught of zombie dlls! I did have some luck following some of the slash and burn techniques described above, but my system, though free of the HSA plague, was running on wounded knees from the many needed files I hacked out with a machete in my desperate attempts to purge my system of these unwanted demons! Thankfully, I tried 'T boy's' suggestion of doing a system restore and it worked like a friggin charm!! Now I've just read that there is a fix on Adaware update?? I just hope someone tracks down the farging bastages that unleashed these hounds of hell!

0

I had success in completely removing the problem using the following process: (Note that Ad-Aware does NOT remove this by itself.) 1. Download "Ad-Aware", install it, and update to the latest spyware definition file. 2. Download "HijackThis" and install it. 3. Boot the system in SAFE MODE and use "Ad-Aware" to remove everything it finds. 4. Run the "HijackThis" scan, and carefully go through the list checking off any "random-character" 5-letter files (like "agppa") which are loading from the Windows, System, or System32 folders; also check anything resembling "[Default]" as a standalone entry. Have the program remove all the checked files. 5. Reboot the machine normally and re-run Ad-Aware and HijackThis. (They shouldn't find anything else, but it never hurts to be sure ;-D) Hope this helps!

0

I got rid of Home Search Assistent using updated adaware program but can't get rid of a connected problem. A loader for office professional 2003 keeps opening every time I open a windows application. Does anyone else have this problem or suggestions for fixing?

0

LENNY It wont let me get online with anything, AIM, IE, anything. I have no idea what it did to my computer, but I have no access to the internet through it since this stupid thing got on my computer. The only notable change is that when I unistalled the IE from my computer and reinstalled it again, the XP patch for IE 6 isn't on there anymore because I can't download it. Do you think this may have something to do with it?

0

Phew! 3 Days later I am finally free of this absolute f*****g nitemare. With the help of Adaware's update and a little tweaking from sprengstof's reply and some manual remove's I think I got that sucka. The Forums been a great help. Thanks guys and gals! Stay away from internet porn it only gives you grief not relief. And if I ever get my hands on the rotter that set-up this malicious sh*t ... you are a dead man walking.

0

Thanks to T-Boy (Response #37). The registry-restore procedure worked great (as far as I can tell). No more "Search Extender" in the ADD/REMOVE programs list....also my browser homepage is back.

0

Is there a secret society I can join so the we can track these people down and gouge out their eyes? There were three packages "Home Search Assistent", "Shopping Wizard", and "Search Extender". You will find entries in the regsitry with "Home Search" (two spaces between words) and "Search Extender" (two spaces again). Please people, do not assume that the link (looking-for.cc) provided to uninstall this beast is safe. Do not trust this. This uninstall was provide by the same basturds who developed this beast. I would suggest, NEVER use the uninstall packages provided by iSearch or any other of these cyber terrorists. I think I am free after struggling over 8 hours and doing the things atomicdog specified. I have one remaining question or concern. I can not delete these directories under windows\: "preftech" and "srchasst". preftech reappears with files. Are these legitimate systen directories? burde11

0

I was looking around my registry for this, and noticed that in RunServices were some strange things: windows/addik32.exe windows/system/d30x.exe windows/system/ipby32.exe windows/ipkq.exe I've run adaware, but it isn't removing these things from my registry. Should I remove these, too?

0

Just got this b---tard yesterday (6/19). System Restore saved the day for me (I'm running XP professional). I only restored back to 6/18 and so far so good, but sounds like I'm one of the lucky ones. If the programmers behind this are ever found, please post their names/home addresses on this site as I would like to have a little "talk" with them.

0

I'm a "victim" of anarchist/hijacker Pavel Petroff (Petrov) from Moscow as well. I tried EVERYTHING. No success. Russians are basically anarchists - they live like pi*s and they want everyone else around them to live like pi*s too - look at USSR and Russia's history and how many countries they turned from nice into communist pi*houses and look how long it takes for them to clean the mess (and sten*h) up that russkies left behind. Here's my HijackThis log: Logfile of HijackThis v1.97.7 Scan saved at 2:23:03 PM, on 6/20/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe C:\WINDOWS\system32\apirs32.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\WINDOWS\nettb32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\llkbdgdr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\MyName \Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edohu.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://edohu.dll/index.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://edohu.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\edohu.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://edohu.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\edohu.dll/sp.html#96676 O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {5CFAF24E-30D8-16EC-61C5-3C8D3C3A482F} - C:\WINDOWS\ielf.dll O4 - HKLM\..\Run: [nettb32.exe] C:\WINDOWS\nettb32.exe Thanks Andrew

0

please try this solution.... it work´s for me.... mail me to thanks jeje... 1.- internet explorer.-tools.-advanced tools.-then unmark: third person extensions 2.-delete all temporary internet files 3.-start.-all programs.-start and delete files are suspect 3.-delete windows/system32 files 4.-try with a uninstaller from download.com (unist pro 4) 5.- restart your pc 6.- sorry my english I´m from argentina and I just want to help u

0

i had this and weberaser has taken care of it. i only have a couple of days left on the free trial but it has cleared EVERYTHING out. who knows maybe it did'nt load properly 'cause i use netscape 99% of the time.

0

Got infected this afternoon. Downloaded Adaware v6.0 and this has cleared my machine

0

VIVA !!!! VIVA !!!! EUREKA !!!!!!!!!!!! I am RID of this a$$hole.... Picked it up last Wednesday Thanks BigMoneyGrip. I got Windows XP 3 months ago I dont really now all the good things it can do.... If you have XP..getting rid of this fu%&$&* is the easiest thing to do Go to PROGRAMS.. Go To ACCESSORIES Go To SYSTEM TOOLS Go To SYSTEM RESTORE and pick a date you want XP to go back to I picked last Sunday.. XP went thru its stuff..and re-booted and PRESTO !! I got my Yahoo Home Page and Yahoo Toolbar back. !!!!! All I had to go was reintall NoAdware which I got 2 days ago to try to get Rid of HSA.. Yeah, yeah..I got the scum from Internet Porn....:-(( Just watch what you click there are decent porn sites out there and will not f#@* you up.. Can you say " decent and porn " in the same sentence??? lol

0

Oh, and by the way, I tried everything mentioned above up to date. Nothing worked. I gave up and got myself a Firefox and forget that stupid IE. The only problem - I can't remove that DeBillGatesh*t from my PC. And by the way, here's contact data for that stinky russki b---tard degenerate (Russkiland is full of degenerates as we all know): FINE-SEARCH.NET Registrant: None Pavel Petroff () PO BOX 2176 c/o Pint spb N20 Slough PDO ,SL3 0PE GB Tel. +7.5017000206 Creation Date: 13-May-2004 Expiration Date: 13-May-2005 Domain servers in listed order: prim1.gpisoft.com sec1.gpisoft.com Administrative Contact: None Pavel Petroff () PO BOX 2176 c/o Pint spb N20 Slough PDO ,SL3 0PE GB Tel. +7.5017000206 Technical Contact: None Pavel Petroff () PO BOX 2176 c/o Pint spb N20 Slough PDO ,SL3 0PE GB Tel. +7.5017000206 Billing Contact: None Pavel Petroff () PO BOX 2176 c/o Pint spb N20 Slough PDO ,SL3 0PE GB Tel. +7.5017000206 Status:ACTIVE Here's more: lookfor.cc Registrant: Pavel Petroff (support-cc@yellow500.com) PO BOX 2176 Moscow, NONE 119992 RU +7.5017000206 Administrative, Technical, Billing Contact: Pavel Petroff (support-cc@yellow500.com) PO BOX 2176 Moscow, NONE 119992 RU +7.5017000206 Record expires on: Record created on: Dec 2 2004 Dec 2 2003 Domain Name Servers: ns1.lookfor.cc ns2.lookfor.cc And here we got a STREET ADDRESS for the "HOST" of those degenerate sites: Registration Service Provided By: NAME15.COM Contact: Website: http://name15.com Domain Name: GPIHOST.COM Registrant: Hot Bookmark Ink. Pavel Rosenblum () Universitetskaya street 3 Izhevsk Udmurt Republic,426034 RU Tel. +7.5017000206 Creation Date: 11-Jul-2001 Expiration Date: 11-Jul-2005 Domain servers in listed order: ns1.gpihost.com ns2.gpihost.com Administrative Contact: Hot Bookmark Ink. Pavel Rosenblum () Universitetskaya street 3 Izhevsk Udmurt Republic,426034 RU Tel. +7.5017000206 Technical Contact: Hot Bookmark Ink. Pavel Rosenblum () Universitetskaya street 3 Izhevsk Udmurt Republic,426034 RU Tel. +7.5017000206 Billing Contact: Hot Bookmark Ink. Pavel Rosenblum () Universitetskaya street 3 Izhevsk Udmurt Republic,426034 RU Tel. +7.5017000206 Status:ACTIVE Remember - if their WHOIS data is FAKE then ICANN laws will help to correct it. Who's joining me to fly "talk" to the degenerate?

0

PROBLEM is that there are some TEMP internet file on my PC that will not delete from temp folder = "Access Denied".

0

russki shmo urodki vanuchie

0

TALLWHITEY Sorry, I don't know what's wrong then. Anyone? . I would like to state to everyone that going to the website that the virus sends you to and loading their "uninstall" is the worst idea ever. Think about it.

0

I've removed this several times now, and it remains gone until I launch windows media player. Then all the files reappear. Should I uninstall media player, as well? Thanks.

0

THANK YOU ATOMIC!!! That worked wonders for this and my res://***.dll problem!!! /\/\30\/\/

0

One of the computers on my network also got infected with this nasty. Got rid of it after an hour of trial & error --- I wish I found this website first! Does anyone know where this app gets downloaded from? Or how it got installed? I'm network admin for 150+ PCs at a public library & want to nail this one before it strikes again. Many thanks!

0

Funny that System Restore does *NOT* work for me. I can restore my system fine, but my home page still goes to "res://ungmy.dll/index.html#96676" and always goes back when I try to reset it. The most common response people are giving is to delete any "random-character" 5-letter files (like "agppa") which are loading from the Windows, System, or System32 folders.... but I do I know I'm not deleting something important that I should have?!? Also, just to note that I visited and downloaded the uninstall tools http://www.looking-for.cc/uninstall/SearchExtender.html http://www.looking-for.cc/uninstall/ShoppingWizard.html but they did nothing. I'm so lost and very frustrated.

0

Hi Jay, I was able to get rid of it by doing the following: 1. Make note of the dll in the home page (i.e. res://ungmy.dll/index.html#96676). 2. Reboot in SAFE MODE. 3. Do a search for the ungmy.dll file. Delete the file. 4. Search your Windows & Windows\System directories for the "agppa-type" files. Do a sort by date/time & you should get a bunch of .exe * .dat files with the same date & time stamp. Delete them. 5. Open MSCONFIG. 6. Check the STARTUP tab & uncheck all of the "agppa-type" entries. Some will be in the Windows directory; others in the Windows\System directory. 7. Check the SERVICES tab & unckeck all of the "agppa-type" entries. Some will be in the Windows directory; others in the Windows\System directory. 8. Re-boot Windows. Do you know which website and/or app installed the offending p.o.s.? Thanks, Dave

0

I don't remember which site, but it was linked to via this one (sorry for the porn link)... http://www.judsmovies.com/index.shtml

0

Hey guys, I had a solution to this probelm, but I am new at this forum so I accidently posted it at: http://www.computing.net/security/wwwboard/forum/12373.html You can go there for a really simple solution, I believe my post is #4, sorry bout that lol

0

That post says to uninstall everything, then reinstall. Surely there's an easier way. There's too many solutions posted here. Which works? I'm running XP. - System Restore did not fix it for me. - AdAware (with the update) finds and deletes a whole bunch of stuff, but not for good. When I launch my browser, the highjacking starts over again. - Hijack this also find and deleted what I suspect are bad files, but they just return after I reboot. AdAware is able to locate but is never successful at deleting CoolWebSearch which is located at c:/windows/system32/javaka32.exe I can run Adaware over and over and it stays there. Any further help?

0

Hi Jay, My solution does work. It just takes a little time to locate the files. If you're not comfortable deleting the files, just RENAME them by adding another extension to the name (i.e. ungmy.dll --> ungmy.dll.old; agppa.exe --> agppa.exe.old) or MOVE the files to a special directory (i.e. C:\SPYWARE). ************************************ 1. Make note of the dll in the home page (i.e. res://ungmy.dll/index.html#96676). 2. Reboot in SAFE MODE. 3. Do a search for the ungmy.dll file. Delete/rename/move the file. 4. Search your Windows & Windows\System directories for the "agppa-type" files. Do a SORT by DATE/TIME & you should get a bunch of .exe and .dat files with the same date & time stamp. These files will all have today's date & time (or a very recent one). Delete/rename/move them. NOTE: At this point, you've gotten rid of the problem. However, you'll need to remove their entries from the registry o you'll get a few error messages every time you re-boot your computer. 5. Open MSCONFIG. 6. Check the STARTUP tab & uncheck all of the "agppa-type" entries. Some will be in the Windows directory; others in the Windows\System directory. 7. Check the SERVICES tab & uncheck all of the "agppa-type" entries. Some will be in the Windows directory; others in the Windows\System directory. That's it --- fixed. 8. Re-boot Windows and you shouyld be back in business. -Dave

0

i don't have the network security service i have network connections, network dde, network dde dsdm, network location awareness...

0

Thanks to all the posts--most have been very helpful. I've rid my system of the bug, but I killed the messenger too! I can't get IE to go online and I must have killed something it needs. In safe mode I ran the latest Adaware and then checked a bunch of stuff in Hijackthis. This forum doesn't want me to post my log, but I think I might have checked something I shouldn't have. I don't know what to add back in and I can't seem to export the backup log from Hijackthis. Any help?

0

Found the problem from my previous post and fixed. All is good. Again, deep thanks to all who posted. What worked best for me was the safe mode adaware and hijackthis. Working so far!

0

Dave, thanks for your help, but I've tried your instructions twice and keep getting the same results.... it looks like it works at first, but within a few minutes my homepage is taken over again after reboot. I've unchecked everything on my SERVICES tab that doesn't list Microsoft as the manufacturer. I don't recognize what most of these remaining Microsoft services do. Could it be that one of these is a masked spyware service that I should be shutting down, making themselves appear as as Microsoft? The only questionable thing on my START UP tab is startup item "jusched" under the c:/program files/... .../bin/jusched.exe, but I'm guessing this is an OK file. Could I be wrong? Only questionable file under the windows or system directory is called wpa.dbl. No idea what a .dbl file is. Could this be the culprit? It's time isn't an exact match to when this problem started, but it's close. I'm terrified of deleting something (or even renaming) and fouling up my PC. My PC is for work and I'm completely screwed if I junk it in my attempts to fix this problem. Any (more) help would be appreciated.

0

Sorry, quick correction... The only questionable thing on my START UP tab is startup item "jusched" under the c:/program files/java/ ... /bin/jusched.exe, but I'm guessing this is an OK file. Could I be wrong?

0

i did the system restore with xp pro and it worked...my question is...is it safe now? is the HSA still on my computer? (i don't see it under add/remove), must i take further action? if so...what? thanks in advance...

0

this is totally killing me... i've followed all the instructions and then as soon as i think i'm ok, a new dodgy process pops up... now i've got my homepage back but can't change my toolbar in explorer... a few questions: 1. what does the Network Security Service actual do? I disable it though every time i see the new process, when i check it it's set on automatic again! 2. somewhere there are obviously still some bad files but i really haven't got a clue as to which ones i can delete! any help would be VERY much appreciated. cheers.

0

gooner to answer your question about network security service pretty much what it does is restart all the proccesses you worked so hard to shut down. then create randomly named files you worked so hard to delete and it'll also restart itself periodically if you don't kill it fast enough.. real piece of work ain't it? also to all who are afraid of deleting important files.. you don't have to actually delete the file.. if they are in the recycle bin thats good enough so you could restore any files which are important for system opperation. also you could move them all to disk if you wished so they could be easily moved back Jay: sounds like you haven't killed all the dodgy files make sure to delete anything that looks randomly named five leters some now i think are even seven and have a '32' on the end. go back as far as you can remember having the HSA. check the date of the file associated with the network security service that should be close to the original infection date.. delete all suspicious files from that date on and a little before from your windows and windows\system32 directory

0

This thing has been bugging me for a while now. My homepage hasn't been changed in about an hour or so but HSA, SW, and SE regenerate themselves when deleted in the Registry Editor. Does anyone know how to get it to stop regenerating? I have disabled the NSS but now I can't access it anymore. Any help is greatly appreciated. I am using Windows XP if it helps. If I cannot resolve this, I will probably just resort to reinstalling my operating system which will probably be easier than trying to fix this. Thanks, -ihc

0

i did the system restore with xp pro and it worked...my question is...is it safe now? is the HSA still on my computer? (i don't see it under add/remove), must i take further action? if so...what? thanks in advance...

0

I think perhaps some of us have different strains of this spyware. No reason why system restore should work for one but not another.

0

As I mentioned yesterday..I run XP and did a System Restore to set to last Sunday and it worked..... Are you doing the Restore correctly ?

0

(1) if you suspect this is the virus you have, there is no reason yet to disable any other services other than Network Security Service. if you do this you might lose your internet connectivity, among other things. (2) searching for a filename or service in google will help you determine if a file is legitimate or not. not always, but often, legitimate filenames will show up in google and you can find pages telling the file/service's purpose. (3) for some people, either getting a professional to help or formatting their computer is the best option. if very little of this makes sense .. if "system restore" is the only manual alteration you've done to your computer before .. or if you don't know what most of the processes running on your computer are doing, take the safe route. back up your userdata and stuff you really need. downloadable programs (winamp, AIM) or programs that came with your computer (word, outlook), you can get back later. then use the original cd's you got with your computer and start over.

0

I did it this way (WIN 98): Download escan and run msavscan.com afterwards. Download easy cleaner than run the easy cleaner tools "startup" and "software" and delete all yellow and red marked entries. Use "hijack this" to delete all related entries from the registry. Afterwards "looking-for" didn't look anymore.

0

More fine-search.net info: FINE-SEARCH.NET Website Title: SearchXP Website Status: Active Reverse IP: Web server hosts 38 websites (reverse ip tool requires free login) Server Type: Apache/1.3.28 (Unix) mod_gzip/1.3.26.1a PHP/4.3.2 (Spry.com also uses Apache) IP Address: 209.66.114.129 (ARIN & RIPE IP search) IP Location: - Nevada - Carson City - Aps Telecom Cached Whois: Cached today Whois History: 6 records stored Record Type: Domain Name Monitor: Monitor or Backorder Wildcard search: 'fine-search' or 'fine search' in all domains. Other TLDs: .com .net .org .info .biz .us X X [4 available domains] Name Server: PRIM1.GPISOFT.COM ICANN Registrar: DIRECT INFORMATION PVT. LTD., DBA DIRECTI.COM Created: 2004-05-13 Expires: 2005-05-13 Status: ACTIVE

0

Atomic Dog was right...you just have to find that one file that keeps causing the the deleted files from coming back. In my case it was a variation of: javadv32.exe After this file was gone the bugger stopped creating addition .dll & application files. My problem is solved thanks to Atomic Dog. It only took me 2 days and a lot of patience.

0

My problem was also solved thanks to AtomicDog. On my system, rather than HSA causing my browser to change homepages and such, it would just crash my browser when I tried to connect to any server via HTTP. This was solved initially by turning off third-pary browser extensions (BHO's). But other things still didn't work properly, such as KazaaLite, which would also cause explorer.exe to crash. Thankfully, that common solution cured it, and now my Google Toolbar is back to blocking popups. :) Tallwhitey, you may want to try that temporary solution if you cannot get rid of the hijack completely. Go to Control Panel->Internet Options->Advanced, then disable third-party browser extensions. This should allow you to access the web.

0

@Atomicdog420 - thanks for your comments. i now cannot stop the network security service - it gives me an error when i try and view it's properties (not sure why).. and those fxcking processes are still popping up... so, it looks like a system restore.. am i right in thinking that by doing a system restore, the only thing that happens is that i lose the data that i've been working on, and programs that i've installed since the restore date? so if i back them up somewhere else then i'll be ok? also, why would you want to completely reformat your pc given that system restore exists? has anyone found that system restore DOESNT't work? thanks alot.

0

I tried system restore and found it did not work. I tried to restore to June 15, as I picked up this crud on 17th or 18th. My computer reacted as if system restore were working but then reported that the restore failed. I tried again and was told that there were "no longer any restore points available" before date shown (June 21). Is it possible that this thing has hijacked system restore as well? hgs

0

Will re-installing Windows XP solve this problem? I can't get rid of this thing for the life of me.

0

Ditto on everything said above. I have tried everything mentioned above. I have one problem that I haven't read. The random 5-letter files in the Registry are 6-letter in my computer. Therefore I am unsure about all of the ones to delete. I am not that 'computer-confident' to try. Also, I can not do a system restore. When I try it says that there are no restore dates available. Also, one final note, I'm pretty sure that I received the virus through an email. My Norton's detected a virus on a incoming email. I quarantined the file and then deleted it. Then, the next time I opened Internet Explorer my homepage was reset to Home Search. I hope someone comes up with something to beat this thing. Thanks for all of the help.

0

Hi folks first i have to say that my browser wasen't hijacked because i didn't click the link appearing when i wanted remove these three programs. And finally i found a way to delete them. I used "Your Uninstaller 2004 Pro" from download.com. Hope it will help some of you too.

0

********************************* THE QUICKEST AND EASIEST SOLUTION ********************************* This should only take you about 15 minutes: (You will need the following programs, available at Downloads.com: Norton antivirus, adware, and advanced uninstaller pro 2004) 1- Run Norton Antivirus 2- Get Adware update 3- Run updated version 4- Run Hijackthis- remove all objects related to home search 5- Run Uninstaller pro 6- Go to control panel feature then the add/remove feature (ur still using uninstaller) 7- Click on 1 of the 3 programs (home search, wizard etc..) and use the FORCE option, standard uninstall will not work 8- Repeat for the remaining two It is now gone!

0

Another suggestion, before following my steps, exit al internet functions that are not neccessary, delete the xmrv (somehting liek that) file form your windows, system32 folder, just click x and ull prolly find it. As well, do not restart during the process

0

I have tried these solutions multiple times and can get it out of the control panel's add/remove program list but it just keeps regenerating. In my system32 folder, I still have a lot of .dll and .exe files. However, when I go to their properties it says it is from Microsoft and will explain that it's function is for something I recognize such as Windows Media Player. Is that trustworthy or can these types of viruses/spyware say they are something they are not? Also, I have run Hijackthis many times and know which things to delete but they keep coming back as a different name. Does anyone have any tips for finding that one file that makes it regenerate? Thanks, IHC

0

hey guys.. well ive had this virus for about a week and a half now. luckily i found this forum. I have been following atomicdogs directions. I have deleted most of the 5 letter .dll files but some cases i an unable to delete them suchs as socks55.dll with a pop up that says that access is denied. What the hell do i do about that if i cant delete these files. And should i even bother going through the rest of the directions to see if i can get rid of this

0

A420 you rock! I followed your directions to a tee and it got rid of the majority of my problems. I still had the about:blank page pop up but today's new definitions on AdAware got rid of that. Thanks a million

0

First sorry for my English. The problem shoulb be an executive file that installs HSA and other 2 programs. You must delete this file. 1) Disconnect from Internet 2) Run adaware to try the file (in my PC sdken.exe). Note that adaware is able to show the file but not to delete it. 3) Run Hijackthis 4) In task manager stop the process of that file 5) Delete manually the file 6) Run adaware 7) Restart windows I think I have won the battle!

0

hey, i still cant get rid of this thing, ive run ad-aware and gotten rid of all the bad files in there. ive run hijackthis, but everytime i delete the random 5 letter .dll's they reappear with a different 5 letter combination. here is my last hijackthis log, please tell me if there are files on here that i should be deleting, any help would be greatly appriciated, thanks Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\documents and settings\andrew\local settings\temp\OQ8.exe C:\WINDOWS\msas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM+\AIM+.exe C:\WINDOWS\System32\tcmpvcno.exe C:\PROGRA~1\AIM95\aim.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe c:\progra~1\Support.com\client\bin\tgcmd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ntub32.exe C:\Documents and Settings\Andrew\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32/left.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sprpu.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sprpu.dll/sp.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com O2 - BHO: (no name) - {66EE64B4-816A-C2A8-1639-AB8F0F258A12} - C:\WINDOWS\ipca32.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [OQ8] C:\documents and settings\andrew\local settings\temp\OQ8.exe O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Andrew\LOCALS~1\Temp\app6C.tmp O4 - HKLM\..\Run: [msas.exe] C:\WINDOWS\msas.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl O4 - HKCU\..\Run: [Zws9Rja3Q] tcmpvcno.exe O4 - Global Startup: VAIO Action Setup (Server).lnk = ? O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.8776851852 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab

0

I think I got rid of it. I followed atomicdog420's procedure. I'm still running Win 95, so I also had to download and run PRCview instead of using the services.msc command. I also deleted anything "dodgy" in my c:\windows\system folder in addition to c:\windows\system32. I think the name of the b---tard file on my system was javaex32.

0

Being the commensurate user, there was no way I could have even "followed" some of the instructions here (although I'm sure they were expert!!) However, I di manage to stumble on Niteriders instructions (Item 57) and I downloaded Adaware 6.0.... worked like a charm...so far.

0

andrewc111: I'm no expert, but of the processes in your post, these look bad to me: ntub32.exe R1 string (the first and second one) R0 string O2 string

0

If you want to regain control of your browser and get rid of Home Search Assistent, go and download Ad-aware 6.0 from LavaSofts Website. It is free for Personal use... Then download and install the update reference file: 01R324 22.06.2004. Run it, re-boot and Home Search Assistent should finally be gone! I had the b---tard trojan on my system for the last two weeks and nothing would get rid of it... Until I installed Ad-aware 6.0... Spread the word and "put your boots" into these b---tards! Of special note on LavaSoft's Website forum, is the reference to the multitude of "Fake" Adware and Trojan removal software out there. In distinct contrast to the charlatans and con men who run the fake outfits (who's popups seemed to arrive quite regularly on my desktop before!), Lavasoft would be the most experienced company to produce software to tackle this confounded problem. Good Luck, Brian

0

I have tried all of the above to no avail. I am exhausted, frustrated and ready to throw my system from my third floor balcony. There should be harsher punishment for creation of these things! I used my computer for medical research on a rare ailment and now it's not functioning properly at all .. keeps reverting back to that stupid search page. Looks like my only recourse is to reformat.

0

hey guys.. well ive had this virus for about a week and a half now. luckily i found this forum. I have been following atomicdogs directions. I have deleted most of the 5 letter .dll files but some cases i an unable to delete them suchs as socks55.dll with a pop up that says that access is denied. What the hell do i do about that if i cant delete these files. And should i even bother going through the rest of the directions to see if i can get rid of this. TO BRIAN TASKER. I downloaded the file. do i go to start and then run and type in reflist.exe. I have done this, but it says it cannot open this file. if someone reads this can you please help me im going fing nuts here and im not much of a computer genius. thanks

0

by the way brian i typed in reflist.ref

0

I also was infected with this SOB. Bloody Ruski's!!! I took some info from atomicdog420... *Lights a spliff and hands it to Atomic* and I also tried my own techniques even though they may have seemed a little illogical. Last night i sat on the computer running Adaware, Spysweeper, Spybot S&D and Advanced Uninstaller Pro 2004. Yeah, well i got to the point where i could get all the spyware out of my computer and take my start page back over for the inital run of IE. Yeah, well after closing it, I soon realised that it was to be taken back over by this offending malware. I soon began to notice a pattern. I could eliminate coolwebsearch registry key from Adaware, and eliminate the 3 pieces of software from Advanced Uninstaller, but as soon as I opened the browser, it would all return. I soon gave up for the night. After coming home from Work, I noticed that AVG had detected about 70 infected files all with this tag... "trojan downloader.vbs.psyme.e" or "trojan downloader.winshow.AN" It gave me all the names of the *.exe and *.dll files that these were attatched to, so I went into the Windows Folder and Windows\System32 folder and deleted them all. I then ran kaspersky Virus scan to eliminate any other potential viruses that were not detected by AVG. I then ran Adaware once more to detect all the *.dat files left in the Windows and Windows\system32 folder. Upon this it detected the coolwebsearch registry key. I then went into regedit and deleted a bunch of registry keys as Atomic had suggested, i found a large amount of folder that displayed Coolwebsearch and i deleted anything that had any relation to it. I also then deleted all the history folders which took about 20 mins because there were about 1000 of them. After this i ran Advanced Uninstaller and Hijack This, and removed any more incriminating software. Rebooted, and crossed my fingers. To my Surprise, my computer booted quite quickly without any virus warnings and with no Coolwebsearch to be found! I am now free from the communist rule! b---tardS!! I apoligise for the long post but i thought my reply would interest somebody! There actually is a fix! :) All you need is AVGFree Edition which will tell you it cant delete the files. Delete the files manually. ADAWARE, Spysweeper, Hijack This, Advanced Uninstaller, and Kaspersky Virus Scan. You will be on you're way! THANK YOU SO MUCH!!

0

Thanks to the advice on this page, I was able to clear a bad infestation of Home Search off a friend's PC running Win98 SE with a cable modem connection. The trojan had installed a huge number of files since 16 June 04 and the PC had become so slow that it was completely unusable, even with 256 MB of RAM. Neither Ad-Aware with a recent update nor Spybot found anything. First go into Windows explorer and turn off the 'Hide file extensions for known file types' nonsense otherwise you can't see what you are doing. I then looked in the C:\WINDOWS and C:\WINDOWS\SYSTEM folders, sorted them by date and deleted all .exe .DLL and .DAT files with random names like dfkvb.dat mdpvq.dll crjz32.exe that had file dates 16 Jun 04 or later. I deleted 3100 of these junk files. Is this a record? I also deleted a suspicious file C:\WINDOW\javapt32.exe and I noticed that C:\WINDOWS\defragment.exe and C:\WINDOWS\scanregw.exe both had a 19 June 04 date, the file size was wrong (about 19k) and the file properties didn't show any version information. I deleted defragment.exe because the Win98 SE defragmenter is called defrag.exe mot defragment.exe and that looked OK. I checked scanregw.exe with Macafee anti-virus with a recent update but it did not find anything. I deleted scanregw.exe and replaced it with an uninfected version from another Win98 SE PC. It is important to CHECK SCANREGW.exe because this Windows system file runs at startup so if it is infected, it will reload the trojan. It may also be a good idea to check RUNDLL32.exe I then installed HijackThis from Merijn.org at at http://www.spywareinfo.com/~merijn/downloads.html but I couldn't run it until I updated MSVBVM50.DLL to MSVBVM60.DLL by downloading from Microsoft on another PC. There is a link to the MS download page on Merijn.org HijackThis is brilliant, well done Merijn. In category O2, it found 837 BHO (Browser 'Helper' Objects). 2 of these were legitimate (Google toolbar and Acrobat) and I deleted the other 835. It was saying 'file missing' because I had already deleted the files manually. In category O4, HKLM\..\Run: it found about 30 - 50 entries (I lost count) to run random 5 letter file names at startup. This was what was crippling the PC. I deleted all these and also the one to run javapt32.exe It all seems to be OK now.

0

I had this P O S on my computer but I think its gone now used pc cillin internet security 2004 with their Controlled Pattern Release Date released: Jun 24, 2004 Latest controlled pattern file: 915 (1.915.00) hijackthis, plus youruninstaller 2004, spybot and ad-aware, so far so good.

0

for win2k and xp get the removal tool from the rubber ducky here is the link http://www.zerosrealm.com/index.php?page=dllfix it saved my sanity.....

0

ive tried atomicdogs ways but i dont know which things to delete so here is my "Hijack This" log list: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.exe C:\documents and settings\kblbird\local settings\temp\wbFDAit.exe C:\WINDOWS\system32\d3ke.exe C:\WINDOWS\System32\wtscc.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\ntvl.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\WINDOWS\System32\x0r\svshost.exe C:\Documents and Settings\KBLBird\My Documents\My Downloads\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxryp.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bxryp.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bxryp.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bxryp.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bxryp.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bxryp.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.msn.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {2E1F2573-7365-8788-4904-8D56167433A3} - C:\WINDOWS\system32\crgt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [wbFDAit] C:\documents and settings\kblbird\local settings\temp\wbFDAit.exe O4 - HKLM\..\Run: [AutoLoaderrw321JLjdLLd] "C:\WINDOWS\System32\objtcpip.exe" /PC="AM.WILD" /HideUninstall O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [r3sk37W] objtcpip.exe O4 - HKLM\..\Run: [d3ke.exe] C:\WINDOWS\system32\d3ke.exe O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtscc.exe O4 - HKCU\..\Run: [a03qRXapi] dpwwn11n.exe O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter.com/pop_shooter/install/win2000/SYSsfitb.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab some one please help me. thanks

0

i know how to get rid of it, no matter what the names are, and its all automated... ok go to this address and at the bottom is a file to download which automatically deletes all the hijacking files, but it doesnt load a programme it just does it instantly in the background. the address is http://looking-for.cc/uninstall/ShoppingWizard.html and it gets rid of the programme totally and resets your homepage to msn.com this will work! let me know what you think

0

Insanely, That doesn't work.

0

it does work it got rid of the browser hijack on my computer and its the uninstaller made by the people who are hijacking it

0

Just thought I'd let you guys know: http://looking-for.cc/uninstall/homesearchassistant.html gives a link to uninstall. This, however doesn't work alone. You'll need to disable the System Security which regenerates the problem. I also deleted the 5 letter .dats and .exes. I also used HiJackThis. DELETE ONLY WHAT SHOWS THAT IT HAS TO DO WITH THE HOMEPAGE!!!! You do NOT want to mess up your computer. I also don't recommend using the Registry Editor. I didn't need it, and if you do something wrong, well...Yaknow. So, good luck. It's very possible to get rid of this.

0

Hello All, I used the atomic one's solution and it worked for me. Cheers.

0

I used atomicdog420's solution and it seemed to work, except all of the home search assistent programs are still in my add/remove program list. Any ideas? Thanks, BEth

0

I think I've solved the problem. I tried Spybot, Adaware, and Advanced Uninstaller but the problem kept coming back. I'm no computer expert and it's my first time to hear of spyware but I did a regedit and looked at the RunOnce and RunEx. If you look at where it references to you will see it runs the spyware everytime you reboot which replicates itself in your Windows directory and Windows\system32. Write down the programs it references to, in my case it was apphh.exe, crbi32.exe, msiw.exe, and in system32\msru.exe Then reboot in safe mode and go into your windows directory, make sure you set the view in explorer to see all system files and hidden files else you won't see it. Then rank the files by date. Delete funny dlls and dats in Windows directory created in the past week or 2. Generally you shouldn't have any recently created dlls or dats. Make sure you delete those files noted in the regedit under RunOnce. Then go into System32 and rank the files again by date and similarly delete all the files recently created in the past 2 weeks. Don't worry if you delete something critical. You can reinstall your WinXP and fix it. But generally you can tell if if its critical or not. When you hover your mouse cursor over the file or highlight it you will get a description telling you its a Microsoft file. I've generally seen all Microsoft files when you hover a mouse cursor over it tell you its a Microsoft file so you don't want to delete it. If it says nothing except file created date then you can delete it. Then reboot in normal mode. Now you should be ok. But now do a final cleanup with Spybot and Adaware. And finally with Advanced Uninstaller you can remove the Home Search Assistant, Shopping Wizard, and Search Extender. Reboot one more time in normal mode. Now check in add remove program it should be gone. Now run your Internet Explorer and it may try to default to that old file but will get an error message. Go to Tools / Options and set homepage to blank or whatever. Then empty your cache and cookies and clean up EVERYTHING. Reboot one more time. And all should be fixed. Run your Eplorerer and you'll notice everything should be back to normal. At this point you should do CREATE system restore checkpoint for future use. By the way you should do all of the above only if you can't go back to an earlier restore checkpoint, which was the problem I had. I've tried everything else and I believe this is the only way to remove it. The most critical is to ensure that in your registry you remove the RunOnce and RunEx and also check the Run folder for possible files that might look suspicious. Don't be afraid to delete files. You can reinstall whatever application you have that's faulty later. It should work.

0

Just a followup on earlier msg. I noticed that if you didn't do a proper cleanup as posted above the file will recreate itself. And in Internet Explorer it will default back to that annoying site. You can temporarily disable this in Tools Options and set the 'enable 3rd party browser extensions' to Unchecked. But when you recheck it and restart your Explorer the problem comes back. So you have to do a proper cleanup meaning deleting the dlls and dats and exes which don't belong there. Generally say you installed your XP a while back there then should be no recent dlls or dats or exes. In fact there should be NO DATs in your \Windows folder and in Windows\system32 you must watch out for recent dlls and dats and exes.

0

I have coolwebsearch that shows up after running Ad-aware and Hijack this. I also have "Search Extender" and "Shopping Wizard" that control panel will NOT allow me to remove these programs. This redirects me to what I believe is the hackers' website, which I am not about to request an uninstall on by sending the my IP address - no thanks. I have tried EVERYTHING to get rid of this, and done so, but only temporarily, as it re-replicates somehow. I'm using Mozilla Foxfire until there is a security patch or new and effective trojan horse killer available.

0

I have coolwebsearch that shows up after running Ad-aware and Hijack this. I also have "Search Extender" and "Shopping Wizard" that control panel will NOT allow me to remove these programs. This redirects me to what I believe is the hackers' website, which I am not about to request an uninstall on by sending the my IP address - no thanks. I have tried EVERYTHING to get rid of this, and done so, but only temporarily, as it re-replicates somehow. I'm using Mozilla Foxfire until there is a security patch or new and effective trojan horse killer available. Whoever did this should have their gonads fried with a sears 1,100 cold cranking watts battery.

0

this is what i got for a HijackThis log plz help me decide wich r not good (and i said PLEAZE!) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\WINDOWS\System32\GEARSEC.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\sdkvf.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\system32\winiq.exe C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\FAMILY~1.DEV\LOCALS~1\Temp\Rar$EX02.031\HijackThis.exe C:\WINDOWS\System32\taskmgr.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lebqd.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lebqd.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvp JaY

0

One more thing regarding internet history. After you've done the above as I've indicated, you can download "Free History Eraser" which will delete any remnant autocomplete and historical tracks and you're scott free. Remember I'm a neophyte and never heard of malware until yesterday and don't know anything about dats and dlls and still I managed to clean up my computer of this insidious hijack so you can too. It's critical that you remove all the RunOnce in the registry. It executes the replication and resides in memory. Make sure to delete those files too! When it used to work and I used the restore to earlier point, the files were still residing in my hard drive but because it restores to an earlier point before the program inserted the RunOnce on boot it fixed the problem but the trojans were still sitting dormant in my computer. I'll be following up here for 2 more days so let me know if you have any questions before I disappear. I was able to solve this problem thanks to reading all your contributions so thought I'd contribute my solution as well. Ciao ciao

0

OK I think after playing with this bloody thng for 3 days I have it beat I did multiple scans with Norton AV, Adaware, Hijack this, CWS Shredder and Advanced uninstaller pro, I just downloaded AVG and ran into a big problem when I try to install I get the following errors 1)Cannot find SHELL.DLL and 2)Cannot find file C:\Docume~1\user\LOCALS~1\temp\WZS9.tmp\setup.exe(or one of its components) What have I done and how can I fix this??

0

Most impressed with anyone who can beat this bugger. Myself, I'm following the instructions but I haven't got any process looking anything like "Network Securtiy Service"... Anyone found out what other name this might be running under?

0

Found this on the MajorGeeks board - a program to remove HSA. http://www.majorgeeks.com/download4284.html I'm at work, w/ HSA on my home PC, so haven't had a chance to test it myself. Nasty bugger!

0

You can get rid of this POS if you stick with it. I used a combo of atomicdog and sprengstof methods. 1. Make a note of the "5 letter file" that is taking over your homepage. Mine was "atdmt" 2. Get Adaware6.0 latest update, HiJackThis, and UnstallPro from Downloads.com 3. Disconnect from the internet. 4. Boot up in SafeMode. 5. Run Adaware. Delete everthing it finds. 6. Run HiJackThis. Delete eveything that looks bad. Make sure to delete everything the matches the "5 letter file" you recored. 7. Use UninstallPro to FORCE remove Home Search Assistent, Shopping Wizard, and Search Extender from the Programs Menu if they are still there. Then use the Temp Internet File cleanup tool to delete all you temp internet files. 8. Run regedit. Find and delete the directory HSA and all files in it from the program registry. Do a search for "home" and delete any files called "homesearch". This takes time. 9. Use windows explorer and do a search for the "5 letter file" and delete any you find. Make sure you select the hidden files and folders option. Then find C:\windows\PREFETCH. Delete it. You have stick with it and repeat the scans and searches several times in safe mode and in regular windows mode. Do it all several times while you are disconnected from the internet and BEFORE you try opening your browser. Pay attention to the results of the Adaware scan because the "5 letter file" might change names. I think I'm free of this *&%$@#*& thing. Good news is it does not appear to have damaged my machine. Thanks again Atomicdog and sprengstof! Geoffrey Hughes

0

Hello everyone, Yesterday i was in trouble the HSA problem, the entire day, and finaly i found this forum which gave the solution. First i would like to thank ATOMICDOG420 who discover the solution in RESPONSE NUMBER 6. If you follow EXACTLY all the steps he described, you WILL SOLVE the problem for sure, but of course you need to have the same problem, i mean the following program installed : - Home Search Assistant - Search Extender and - Shopping Wizard Thanks again ATOMICDOG420. Well done. Just two questions ATOMICDOG420: How long did it take you to find the solution and did you find it yourself or someone else tall it to you ?

0

Also, download the latest version of JAVA- 1.4.2_04 build b05. The security is much tighter. IE's security is lacking.

0

I used the program described in Guys message #127 and as of so far... my computer seems fine... i mean my spyware dealos not freaken out about changing my homepage anymore althogh its only been a few moments... how can i b sure its gone? JaY

0

I can't seem to get rid of the Home Search Assistent problems. Everytime I try to use methods shared by others it seems to just come back over and over again. I get the internet homepage res://*****.dll and everytime I try to get rid of it it comes back under a new name for example: res://abc.dll, then res://def.dll, and so on. I also have the HSA, Shopping Wizard, and Search Extender in my add/remove prgrams and when I use the Uninstall Pro to force remove its back on my computer within a matter of minutes. I know I'm not the only person with this problem, but does anyone have any other ideas other than whats already posted on the internet?????? PLEASE HELP *US*!

0

I am infected with the HSA virus.Mine comes up as http://wwwfeyfz.dll/index.html#37794.I tried Atomicdog420's idea and after doing the ctrl,alt,delete thing and the network security service thing it doesn't seem to work.I delete what you say in windows and windows 32 but the icons keep reappearing right in front of my eyes.Am I not removing something from the first ctrl,alt,delete step.This virus sucks all I tried to do was delete an email and I think that's how I got it.Who ever you are that did this to all of us,I hope you die.

0

Here is one file that seems to be connected with this nasty that I don't think has been mentioned in this thread. wmplayer.exe.js in your Windows Media folder. Maybe once you knock it out, dump WMP and stop surfing Russian porn sites.

0

I cant believe what I am reading Two weeks ago I came to this forum cause I got the HSA virus... Since then I posted TWO MESSAGES about how to get RID of this menace... My method has nothing to do with all the GREAT THINGS ATOMIC DOG has written.. His posts as well as all the other posts leave me wondering if anybody can read and simply use SR that is already on their computer.. forgive me...but it is getting really a laughing matter when the solution to HSA has already been posted and the people CANNOT grasp the answer and instead will download all methods of questions and in so doing ..raise the ATOMIC DOG to heights he or she has not dreamed of...... thanks ( HSA FREE ) JimmyJambo

0

@Jimmy Jambo system restore does NOT work for everybody. i cannot do a system restore though have followed everybody's instructions and STILL cannot remove this thing.. i have to wipe everything and install windows from fresh....

0

atomicdog420...YOU ROCK!! Bow wow wow yippee yo yay!! I followed your steps in Response #6 and I'm free of this Trojan. Running Win2k, I did everything in Safe mode first and after a cold reboot I got my browser back. I would add the following if it's not been suggested: * You might also see "Shopping Wizard" and "Search Extender" in Add/Remove Programs and you can't get rid of them by normal means. * Do a REGEDIT and search for "Shopping" then "Extender". Delete the keys that associate with "Shopping Wizard" and "Search Extender". Mine were labeled HSA and SE. Once you get rid of the keys they should disappear from Add/Remove Programs.

0

Jimmy jambo: I cannot find the two earlier posts you mention, can you tell me what title they were posted under and what date? Thresher

0

I Deleted the HSA and SE folder, and still wasnt able to removie shopping wizard and search extender from my add/remove programs, any ideas how to get rid of it? Thanks..

0

I am using XP pro and for some reason can't get into safe mode. It doesn't appear as an option. Anyone else have this problem? and does anyone have a solution? Also, like many others I can not do a system restore - it used to be the magic bullet.

0

I dont understand why people make garbage like this ...to be cool ?.....a grudge ?.... id like to smash the face in of the person or persons responsible for this one !

0

Thanks to all. I went on vacation and the HSA was picked up by the family. Wanting to try the easiest first I used #104 from Brian Tasker. The Ad-Aware with an updated registry file did the trick. Thanks to Brian and the folks at Lavasoft. 1. Get Ad-Aware 6.0+ 2. Use the Webupdate to get the updated regfile (little globe on the top right) 3. run it 4. delete all found (I had 81) 5. re-boot. 6. done Again thanks to all.

0

I'll add my voice to the chorus of kudos for atomicdog420. Finally got rid of this crap last night after trying for more than a week. I checked out several forums and your response #6 was the first one to help me. I couldn't use System Restore because I'd had to turn it off for an unrelated problem and lost my restore points as a result, and I'd been running Ad-aware for days but the bad files kept regenerating under new names. I think the key was disabling that "Network Security Services" thing, which I had no idea even existed. I ended up manually deleting about 80 files from C:WINDOWS and C:WINDOWS/system32. Basically I got rid of any .exe, .dll and .dat files created this year; anything legit had a much earlier date of creation. The bad files went back as far as April! They also got easier to recognize after a while because a lot of them had the same file sizes. (Be sure you have your system set to show hidden files and folders.) I'm squeamish about using regedit, but I have Norton SystemWorks and the One Button Checkup fixed my registry problems. I then rebooted and was able to get my home page back in IE - yay! - but the Home Search Assistent(sic), Search Extender and Shopping Wizard were still in Add/Remove Programs. I updated and ran Ad-aware, rebooted, and the rogue programs were off the list! While I was struggling with the IE homepage hijack and popups, I installed Mozilla Firefox as an alternative and like it fine; images load a tad slower but I have a fast cable connection so that's OK, and I like the tabbed browsing. I would cheerfully abandon Microsoft's vulnerability-ridden P O' S henceforth and forever more, but my husband insists that he needs IE for some stuff he does. I am insisting that he at least use Firefox for his porn browsing ;) Adawada (response #63): you can't uninstall Windows Media Player. I know, I tried. My Norton's picked up viruses in WMP more than once. If you have a file in Program Files/Windows Media Player with the .js extension, get rid of it! It doesn't belong there. There's plenty of alternatives to WMP, I'd avoid it entirely. Gooner (response #89): System Restore won't lose your data, but you will lose programs you installed after the restore date, so be prepared to put 'em back. Thanks again for helping me solve this truly obnoxious problem. Besides the homepage hijack and popups, this thing somehow managed to screw up one of my photo editing programs and possibly an audio editor as well. This Russian fellow deserves to be strung up by his testicles, that is, if he has any.

0

I too have been fighting this multi-faced little beastie for nearly a week and today, am officially clean!! I used Norton Anti-Virus to identify the files but it couldn't remove all of them. It suggested I write down the path and remove them manually with Explore, but when I tried that, the files weren't there as identified. Between Ad-Aware, Spybot, Hijack This and posted suggestions I was able to clean out some of the bad files and get some control over my IE browser, but they kept replicating under different names. Then I had Spybot alerting me every 3 minutes that the louse was trying to re-install every time I changed browser pages or did anything, for that matter. I also couldn't get rid of the three weasel programs , HomeSearch Assistent, Shopping Wizard and Search Extender. I decided to try avast anti-virus program and voila! It cleaned out 45 bad files and then told me to re-boot so it could get the rest as they were already active and it would scan before windows start-up. There went the rest. All was well - Spybot was quiet, and all worked again except for the miserable 3 programs still listed in Add/Remove programs. Uninstall Pro thought it removed them, but upon re-boot they returned. They didn't launch, but if I tried to remove them, the uninstall page came up, which doesn't uninstall at all! This morning, I decided to try and find them in regedit using the search as suggested. There they were HKEY_Local_ Machine/ Microsoft/Software/Uninstall! DELETE!!! When I checked back at Add/Remove, they were GONE! I'd recommend avast anti-virus - it's more accurate than NOrton and free for home users. Good luck!!

0

I have also been struggling with this. After review of 3 different forums. I seem to be rid of this thing. My intention is to input my 2 cents and tell you what seemed to have worked for me. The authors on this board are genius, and I don't know how to thank you. My first attempt today was proposed by Atomicdog 420 Response #6. Like others I did this many times and couldn't seem to get it. I think the changed files were hidden even though I made sure "show hidden files" was turned on. My second attempt today was proposed by Hoovid # 144. I chose to download and run Avast Antivirus. Even though I already have Norton Antivirus installed, I did it. Immediatley after installing Avast, it proceeded to scan and said that it found some stuff and that it had to run in boot mode. I don't know what this, but, I said ok. After it finshed scanning, it found 98 infected files. I did notice that most of the files it found were of this format: 4,6, or 7 letter .exe 6 letter .dat 5 letter .dll Since running this, I have rebooted 3 times and each time it appears to be fixed. Things that I have noticed are: 1. HSA is still in my add/remove programs. Who cares, it's not doing anything. 2. NAV prior to this fix would say "a .dat is requesting scan". Each time I wuold write it down and I could never find it or delete it. That's why I think it was hiding even though "show all files" was turned on. Something had to be there becuase Avast Antivirus found it. So once again, thanks to all for knowledge, experience, and good will. It means a lot to a newbie like me. Regards, Bob

0

Hi Guys: This is my first time so I hope this is right. I found the file for the reload to the HSA in the reg edit HKEY/LOCAL Machine/SYS/Current Control/Settings/Services/I-NS-Service-3 I found a file in there called ntyu32.exe, when I deleted this entry not only did the whole file disappear, but my computer was fixed! After that I made sure I deleted all the Javaai.exe files etc. It's been a week with no problems. Hope this helps. By the way, I use this site religiously, you guys are lifesavers!

0

Also to remove the HSA, SW, SE files from the add/remove programs go here http://support.microsoft.com/default.aspx?kbid=247501 Tinkius

0

i cant find ntyu32.exe i del HSA, SW, SE from uninstall list but still my explorer's start page changes all the time and tons of pop up's please help!!!

0

Home Search Assistent, Search Extender, and Shopping Wizard can be removed using HSremove.exe. You can download this spyware from http://www.majorgeeks.com/download.php?det=4286. Ad-aware and SpyBot won't do the job. I recommend downloading the Google Toolbar after you remove any spyware from you computer. This help prevent pop-ups and unsolicited ads.

0

Download Avast Antivirus. I tried every single things that was posted and none of it worked for me. Two days ago I downloaded Avast, let it do its thing, and now I am free of the beast. Here is the link: http://www.avast.com/eng/download/programs/avast_4_home_downloa.html

0

I searched for "lookingfor.cc" and not "lookfor.cc" and founded this : lookingfor.cc Registrant: Tomas Lopez (tomas_lopezz@yahoo.com) CABO LA HUERTA 34-9 ALICANTE, NONE 03540 ES +349651302910 Domain Name: lookingfor.cc Administrative, Technical, Billing Contact: Tomas Lopez(tomas_lopezz@yahoo.com) CABO LA HUERTA 34-9 ALICANTE, NONE 03540 ES +349651302910 Record created on Apr 14 2004. Record expires on Apr 14 2005. Domain servers: ns1.riviera.cc ns3.riviera.cc If this can help ? Thanks to Atomic ; I'll try

0

Listen UP !! I got rid of HSA in 25 seconds .... let me know if you want to do the same....

0

See Response #149 by Justin. I used HSremove and it worked perfectly for me. I have XP Home Edition on my PC. Took about 15 minutes to download the program, follow the written instructions, and run HSremove. I re-started my computer and opened Internet Exployer twice to test the results and everything is working fine. Thanks to Justin for the tip and OLAR for creating HSremove.

0

i had it for a week at least... heres how i got rid of it 1- get ad-aware 6.0, and update it 2- get hijack this 3- ctrl-alt-dlt and terminate all shady processes 4- run hijack this, get rid of all shady processes, including the ones that say what your homepage is being jacked to 5- run ad-aware and let it go, then fix or delete everything it finds 6- reboot in safe mode, and repeat 4-5, then reboot regularly 7- get regscrub xp 8- get your uninstaller 9- run regscrub xp, and fix all found problems 10- run your uninstaller and get rid of the three names in the add/remove menu 11- restart after i restarted i ran hijack this and ad-aware again just to be safe... and im free!!

0

Thanks atomicdog420 Finally I can use the pc. I down loaded Mozilla so I could us the internet to look for help.

0

hay i have also had my computer hijacked and am looking for a way to fix it.i use spybot search and destroy, Ad-awar, and hijack this. this is my hijack this log. what should i get rid of Logfile of HijackThis v1.98.0 Scan saved at 11:26:57 PM, on 7/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\NavNT\defwatch.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\srvany.exe C:\WINDOWS\system32\resetservice.exe C:\WINDOWS\System32\Fast.exe C:\WINDOWS\System32\MsgSys.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Winamp3\winampa.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\SOUNDMAN.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\winqw.exe C:\documents and settings\thomas benton\local settings\temp\qEI.exe C:\documents and settings\thomas benton\local settings\temp\H63lED.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ecursa.exe C:\WINDOWS\System32\qcult.exe C:\WINDOWS\system32\pcs\pcsvc.exe C:\Program Files\Common Files\Dpi\dpi.exe C:\Program Files\AIM\aim.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\WINDOWS\System32\rsop028.exe C:\Program Files\lotus\organize\easyclip6.exe C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\system32\netbe32.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\ieuk32.exe C:\Program Files\FirstClass\Fcc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\Ozi6v.exe C:\WINDOWS\System32\RsaQs5.exe C:\WINDOWS\System32\mekr61i.exe C:\Program Files\Internet Explorer\iexplore.exe C:\unzipped\hijackthis[1]\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\euiiq.dll/sp.html#96676 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://euiiq.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://euiiq.dll/index.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\euiiq.dll/sp.html#96676 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\euiiq.dll/sp.html#96676 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://euiiq.dll/index.html#96676 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file) O2 - BHO: (no name) - {9FEDBD7E-E147-4760-1763-7146013BFF5D} - C:\WINDOWS\ipuj32.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [winqw.exe] C:\WINDOWS\winqw.exe O4 - HKLM\..\Run: [qEI.exe] C:\documents and settings\thomas benton\local settings\temp\qEI.exe O4 - HKLM\..\Run: [H63lED.exe] C:\documents and settings\thomas benton\local settings\temp\H63lED.exe O4 - HKLM\..\Run: [56AEMNW4DS4DN8] C:\WINDOWS\System32\KyjnpE.exe O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain O4 - HKLM\..\Run: [kunscrblnhv] C:\WINDOWS\System32\ecursa.exe O4 - HKLM\..\Run: [pn4S36j] qcult.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [mekr61i] C:\WINDOWS\System32\mekr61i.exe O4 - HKLM\..\RunOnce: [ntpc.exe] C:\WINDOWS\ntpc.exe O4 - HKLM\..\RunOnce: [apiyp.exe] C:\WINDOWS\system32\apiyp.exe O4 - HKLM\..\RunOnce: [crji32.exe] C:\WINDOWS\system32\crji32.exe O4 - HKLM\..\RunOnce: [netkl32.exe] C:\WINDOWS\system32\netkl32.exe O4 - HKLM\..\RunOnce: [crug.exe] C:\WINDOWS\crug.exe O4 - HKLM\..\RunOnce: [addaw.exe] C:\WINDOWS\addaw.exe O4 - HKLM\..\RunOnce: [nteu.exe] C:\WINDOWS\nteu.exe O4 - HKLM\..\RunOnce: [iepw32.exe] C:\WINDOWS\system32\iepw32.exe O4 - HKLM\..\RunOnce: [sysoh.exe] C:\WINDOWS\system32\sysoh.exe O4 - HKLM\..\RunOnce: [d3tt32.exe] C:\WINDOWS\d3tt32.exe O4 - HKLM\..\RunOnce: [winmo.exe] C:\WINDOWS\winmo.exe O4 - HKLM\..\RunOnce: [atlge32.exe] C:\WINDOWS\system32\atlge32.exe O4 - HKLM\..\RunOnce: [d3jy32.exe] C:\WINDOWS\d3jy32.exe O4 - HKLM\..\RunOnce: [msqt32.exe] C:\WINDOWS\msqt32.exe O4 - HKLM\..\RunOnce: [adduv32.exe] C:\WINDOWS\adduv32.exe O4 - HKLM\..\RunOnce: [addqk32.exe] C:\WINDOWS\system32\addqk32.exe O4 - HKLM\..\RunOnce: [msck32.exe] C:\WINDOWS\msck32.exe O4 - HKLM\..\RunOnce: [sysaj.exe] C:\WINDOWS\sysaj.exe O4 - HKLM\..\RunOnce: [mfcvu32.exe] C:\WINDOWS\mfcvu32.exe O4 - HKLM\..\RunOnce: [sdkuc32.exe] C:\WINDOWS\sdkuc32.exe O4 - HKLM\..\RunOnce: [mfciq.exe] C:\WINDOWS\mfciq.exe O4 - HKLM\..\RunOnce: [sysil32.exe] C:\WINDOWS\system32\sysil32.exe O4 - HKLM\..\RunOnce: [mfcsi.exe] C:\WINDOWS\system32\mfcsi.exe O4 - HKLM\..\RunOnce: [iptz32.exe] C:\WINDOWS\iptz32.exe O4 - HKLM\..\RunOnce: [iplq.exe] C:\WINDOWS\system32\iplq.exe O4 - HKLM\..\RunOnce: [javaxm32.exe] C:\WINDOWS\javaxm32.exe O4 - HKLM\..\RunOnce: [ieuk32.exe] C:\WINDOWS\system32\ieuk32.exe O4 - HKLM\..\RunOnce: [netbe32.exe] C:\WINDOWS\system32\netbe32.exe O4 - HKLM\..\RunOnce: [apiie32.exe] C:\WINDOWS\system32\apiie32.exe O4 - HKLM\..\RunOnce: [systw32.exe] C:\WINDOWS\systw32.exe O4 - HKLM\..\RunOnce: [d3vx32.exe] C:\WINDOWS\system32\d3vx32.exe O4 - HKLM\..\RunOnce: [ieeb.exe] C:\WINDOWS\ieeb.exe O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [javaww.exe] C:\WINDOWS\system32\javaww.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [YCv2RWH7l] rsop028.exe O4 - Global Startup: Lotus Organizer EasyClip.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll pleas I am in dier need of help.

0

I have now run both Atomic's and jdledhead's response to this virus. Both of their suggestions appear to help others - I have run each multiple times and cannot seem to rid myself of it. Here is what I have done with no success: I have eliminated all dat, dll and exe files from Windows and System 32 I have eliminated Prefetch each time I go through this, although it always comes back I have used uninstaller to remove the 3 programs, although they always come back I have used regedit to remove all HSA, home and home search files, although the HSA file has a tendency to always come back. I have also removed the questionable RunOnce files I have run AdAware and Spybot numerous times. I have cleaned out all old temp internet files and cookies I have run HiJack this many times and I continue to get the same BHO to come back. The BHO is {A3EBB400-B7B6-CC1F-484B-848D123173BD}C:/Windows/System32/SYSOA32.dll Despite doing all this, in both safe mode and regular mode, I have not been able to remove this. DOES ANYONE HAVE ANY OTHER SUGGESTIONS OR RECOGNIZE SOMETHING THAT I AM MISSING??? I am on the verge of having to do a complete re-install, which I really don't want to do. PLEASE HELP!!!!!

0

Just Follow instructions from Response Number 149. That simple. In minutes the plague I was fighting for more than a week is gone. Hopefully forever. This PC is clear. Bob

0

Primitive: Thanks for the reply. Already tried this, didn't work. Not sure why - tried it in safe mode and regular, still no luck

0

Hello Again: I wanted to ask once more for help. This is what I have tried so far: - Atomic's suggestion (wondering now if I need to delete dll and exe going back 6-9 months) - jdledhead's suggestion. I thought it would work and appeared to make the most progress, yet it still came back - Used Adaware, Spybot, HiJackThis Avantis, HS Remove, Your Uninstaller, AboutBuster and MicroTrend. All have some success, not enough. - I have done most of these in Safe mode as well as with System Restore off. Still no success From what I can tell, the majority of the exe, dll and dats are gone. When running regedit, I have been able to delete the HSA file and most of the questionable files under RunOnce. Additionaly, I removed anything else under a home search that looks suspicious. When running HiJackThis, I always end up with a BHO with sysoa32.exe at the end. When I search for it, Windows (or RedEdit) can not find it. Delete it makes it go awat only temporarily. The random 5 letter site that replaces my home page continues to change. At the very least, I am learning a lot about computers. DOES ANYONE SEE ANYTHING I MAY HAVE MISSED OR AN ADDITIONAL SUGGESTION??? I am on my last leg and very jealous of anyone who has been able to solve this thing.

0

To Eliminate HOME SEARCH ASSISTENT.... Simply Read Response Number 58 Thanks

0

Hey ! Everyone who is still having problems with the darn Home Search Assistant, I think I have found a solution, without having to delete any ".dll" files and whatnot. I have been in constant contact with the support team at Lavasoft(Ad-Aware), and with their help it has been eradicated!! My homepage is back to normal, my registry is clean, and HomeSearchAssistant, SearchExtender and ShoppingWizard have been removed from the "Add/Remove" list. No sign of these nasties anywhere!! The best thing I can suggest is to post your Ad-Aware logs and HijackThis logs in their forums.( to do this, you must first be "authorized" by them - it sounds silly but it's nothing really). They can then help you get rid of the nasty files. What seemed to have worked for me in the end was installing a tool called "About:Buster". This tool can only be run when your computer is in safe-mode. You have to follow the instructions carefully, you may mess up your computer even more -> not a good thing. Please download this tool called 'About:Buster': <http://www.downloads.subratam.org/AboutBuster.zip> (this link may not work, so just try a regular search with your browser) Unzip it to your desktop. DO NOT relaunch Internet Explorer at any point during this. Now, boot in to safe mode. Instructions on how to do so are in the following link: (THIS IS VERY IMPORTANT-it lets you know how to get into and out of safemode!) http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam (Follow the instructions revelant to your operating system.) Once in safe mode, Launch the About:Buster program you had earlier downloaded. Click 'OK' to the first prompt you get upon launching the program. Now, click the big 'Start' button. Click the 'OK' button you now see. Leave it to scan (the scan time has been improved throughout some versions so it will not take VERY long). Once it has finished, (it'll have text, beside the 'OK' button, identical to 'Files Scanned'. At the bottom of the program it'll say 'Done Scanning.) then copy/paste it's report somewhere. To copy/paste it all, please select (highlight) with your mouse ALL of the text in the white box (in About:Buster). Right-click with your mouse and select 'Copy'. Now, launch Notepad and RIGHT-click in the empty space. Select 'Paste'. Now the logfile from About:Buster will have been copied into Notepad. Click 'File' (in the menus...) > 'Save As'. Save it in C:\ and as Log.txt. Now, restart the computer as normal and you'll return into Windows 'Normal' mode.Once back in 'Normal' mode, re-scan with HijackThis. Save that new logfile. Post that new logfile from HijackThis as well as the Log.txt you saved in safe mode (which is the logfile/report from About:Buster). This process seemed to have worked for me in the end, but prior to this, the Lavasoft support teams told me what files to delete when looking over the HijackThis logs I submitted. (I still believe that Lavasoft support is the best way to go) Anyway, Good Luck! I really hope this works for you guys! :-)

0

Mismis: Thanks for the suggestion. I spent another 6 hours last night working on this and have tried EVERY suggestion in this entire forum. Actually thought I had it beat, it worked for about 1/2 hour and then popped up again. Question for you - what is the purpost of copying the log files from About Buster and HiJack this? Is it to relay the information to the people at Lavasoft? I am willing to try one more thing if it works - I have already begun the process of backing all my important files so I can do the complete reinstall. Would you suggest I contact Lavasoft? Did you contact them through their website? thanks

0

ScottR, I did go through the Lavasoft Support Forums website. The purpose of copying and saving the logs from Ad-Aware, HijackThis and About:Buster is so the support team can go through everything that is in those logs in order to give you the best solutions after you post them. Maybe everyone's files that relate to HomeSearchAssistant are different, who knows. It did take a little while for my method to work, but it worked in the end. Perhaps it might go quicker for you. I'd suggest going through them and/or my method before reinstalling everything :-). The Lavasoft people are very helpful and very patient. They'll do their best to try and solve your problems. If you have anymore questions, don't hestitate to ask :-) Good Luck.

0

I recommend going to the website www.majorgeeks.com Lavasoft recommends quite a few tools from these guys. There are TONS of utilities there that can be downloaded. Some are freeware and others are shareware. Lavasoft recommended that I get a tool called "SpywareBlaster". This tool doesn't clean spyware, but prevents it. Also, it seems that 'majorgeeks' have a tool that MIGHT get rid of HomeSearchAssistant, BUT it is a brand new tool so USE AT YOUR OWN RISK!!! If it messes up your computer, don't blame me :-). Don't get too discouraged, there are solutions out there, I promise!! You never know, my computer might get 'infected' again! (Knock on wood!!!). Good luck all. Believe me, I feel your pain.

0

Excellent job 'DOG!!! Finally got this three-headed monster off my desktop............Thanks Pete

0

Scott, sorry that HSREMOVE didn't work. I tried everything else suggested above and this is the only thing that worked for me. Bob

0

I am trying to follow the steps to get rid of this thing. When I go into "services.msc" there is nothing called "Network Security Service". I'm running XP Home edition. Is it called something else?

0

Automated solution with 100% reported successes (this is how I've solved three, no problems.) 1.) Turn off system restore, reboot to Safemode 2.) Delete %WINROOT%\TEMP, %USERPROFILE%\"TEMPS", IE %TEMP%'S 3.) Use updated "AboutBuster.exe" v1.31 and "HijackThis.exe" 1.98 (Use HijackThis only if expert or told by one!) 4.) (Optional) Normal reboot and install Adware 6.181, update, vx2 plugin, run scan, remove Adwares 5.) (Optional) Install SpyBot S&D 1.3, update, scan, remove, immunize, set to run on reboot, scan, remove, immunize 6.) (Optional) Install BHODemon 2.13, update, teach user 7.) Turn on system restore and reboot, make current restore point Hope this helps...

0

please see my Hijackthis log. my XP Prof laptop has been infected with Home Search Assistant. My Homepage is hijacked to res://qsktg.dll/index.html#27063. I also see Search Extender, Shopping Wizard and Home Search Assistent in my Add/Remove Control Panel. Pls help Logfile of HijackThis v1.97.7 Scan saved at 11:09:36 AM, on 7/31/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\mfcoe32.exe C:\WINDOWS\Explorer.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\2Wire\HomePortal\2PortalMon.exe C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe C:\Program Files\Lime_Shop\Limeshop0.exe C:\WINDOWS\system32\atlwi.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Java\j2re1.4.1_02\bin\javaw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Lime_Shop\Limeshop1.exe C:\WINDOWS\System32\wuauclt.exe C:\Personal\HijackThis.exe C:\WINDOWS\System32\iologmsg.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsktg.dll/sp.html#27063 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsktg.dll/index.html#27063 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qsktg.dll/index.html#27063 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qsktg.dll/sp.html#27063 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qsktg.dll/index.html#27063 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qsktg.dll/sp.html#27063 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4289D83C-B29F-6AE3-A2CB-7FC6A6C7D83A} - C:\WINDOWS\system32\iedh.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe O4 - HKLM\..\Run: [Limeshop0] "C:\Program Files\Lime_Shop\Limeshop0.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [atlwi.exe] C:\WINDOWS\system32\atlwi.exe O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [iologmsg] C:\WINDOWS\System32\iologmsg.exe O4 - HKLM\..\RunOnce: [mfcoe32.exe] C:\WINDOWS\mfcoe32.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: LimeWire 3.8.10.lnk = C:\Program Files\LimeWire\3.8.10\LimeWire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Locators.com Search Bar (HKLM) O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/legal/x.chm::/load.exe O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab

0