hijacked by home search assistent

tthaitanium · 08-01-2004, 06:51 PM

my computer was hijacked by "Home Search Assistent." i already have ad-aware, spybot, spyblaster, hijack this, and about:buster installed on my computer. heres the log for hijack this

Logfile of HijackThis v1.98.0
Scan saved at 12:40:19 PM, on 8/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\nethr32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sfcda.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\AIM\aim.exe
C:\valve\steam\steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\NbdA0h.exe
C:\WINDOWS\System32\Ssg9524W.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\addaz32.exe
C:\Documents and Settings\Varnasup\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdrub.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdrub.dll/index.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdrub.dll/index.html#37680
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8A6BECE7-0D82-A66C-D3F2-02787B9E5C0A} - C:\WINDOWS\system32\atldn.dll
O4 - HKLM\..\Run: [2A@KTJ82B2DKDM] C:\WINDOWS\System32\Xqsye.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Varnasup\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.9.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [ssnj3FO] sfcda.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

this is the log for about:buster

-- Scan 1 --------
about:Buster Version 2.0
Removed! : C:\WINDOWS\tpnjc.dat
Removed! : C:\WINDOWS\vzncrx.dat
Removed! : C:\WINDOWS\System32\addaz32.exe
Removed! : C:\WINDOWS\System32\uibde.dat
Removed! : C:\WINDOWS\System32\vagfo.dat
Removed! : C:\WINDOWS\System32\wdrub.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

i already know its the registry stuff, but everytime i delete it, it comes back. i already tried fixing it in safemode. but when i come back to the regular mode, it comes back. i also see it when i go to add/remove programs but when i try to remove it, this URL comes up and like it says it cant uninstall or something. i did system restore twice so that didnt work. help anyone?

nomav6 · 08-01-2004, 11:14 PM

download mozilla firefox from www.mozilla.org it doesn't have all the holes that IE has, its a much better browser.

**ian** · 08-02-2004, 12:53 AM

Also try doing a search and posting your log at http://www.spywareinfo.com

ottoman · 08-03-2004, 09:42 AM

hi guys I had the same problem a few days ago Itried everything I mean adaware+spybot+spywareguard+cleaning regedit+... But as you said it always came back So i reinstalled the system If you use XP i think the easiest way is to reinstall the system to a previous date If you don't know how to do i can tell İt's ver

y easy

08-01-2004, 06:51 PM	#1 (permalink)
tthaitanium New Member Join Date: Jul 2004 Posts: 8	hijacked by home search assistent my computer was hijacked by "Home Search Assistent." i already have ad-aware, spybot, spyblaster, hijack this, and about:buster installed on my computer. heres the log for hijack this Logfile of HijackThis v1.98.0 Scan saved at 12:40:19 PM, on 8/1/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\nethr32.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\sfcda.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\AIM\aim.exe C:\valve\steam\steam.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Ares\Ares.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\NbdA0h.exe C:\WINDOWS\System32\Ssg9524W.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\WINDOWS\system32\addaz32.exe C:\Documents and Settings\Varnasup\Desktop\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdrub.dll/index.html#37680 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wdrub.dll/index.html#37680 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdrub.dll/sp.html#37680 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wdrub.dll/index.html#37680 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {8A6BECE7-0D82-A66C-D3F2-02787B9E5C0A} - C:\WINDOWS\system32\atldn.dll O4 - HKLM\..\Run: [2A@KTJ82B2DKDM] C:\WINDOWS\System32\Xqsye.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Varnasup\LOCALS~1\Temp\tb_setup.exe /dcheck O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.9.0\WeatherOnTray.exe O4 - HKLM\..\Run: [ssnj3FO] sfcda.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe" -s O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll this is the log for about:buster -- Scan 1 -------- about:Buster Version 2.0 Removed! : C:\WINDOWS\tpnjc.dat Removed! : C:\WINDOWS\vzncrx.dat Removed! : C:\WINDOWS\System32\addaz32.exe Removed! : C:\WINDOWS\System32\uibde.dat Removed! : C:\WINDOWS\System32\vagfo.dat Removed! : C:\WINDOWS\System32\wdrub.dll Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! i already know its the registry stuff, but everytime i delete it, it comes back. i already tried fixing it in safemode. but when i come back to the regular mode, it comes back. i also see it when i go to add/remove programs but when i try to remove it, this URL comes up and like it says it cant uninstall or something. i did system restore twice so that didnt work. help anyone? Last edited by tthaitanium; 08-01-2004 at 06:59 PM.

08-01-2004, 11:14 PM	#2 (permalink)
nomav6 Gold Member Join Date: Jun 2004 Location: Kentucky Posts: 316	download mozilla firefox from www.mozilla.org it doesn't have all the holes that IE has, its a much better browser. __________________ unset($haters)

08-02-2004, 12:53 AM	#3 (permalink)
ian Administrator Join Date: Nov 2003 Posts: 8,005	Also try doing a search and posting your log at http://www.spywareinfo.com __________________ Computer Forum

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-03-2004, 09:42 AM	#4 (permalink)
ottoman New Member Join Date: Aug 2004 Location: Istanbul Posts: 1	hi guys I had the same problem a few days ago Itried everything I mean adaware+spybot+spywareguard+cleaning regedit+... But as you said it always came back So i reinstalled the system If you use XP i think the easiest way is to reinstall the system to a previous date If you don't know how to do i can tell İt's ver y easy