HomeSearch Assisant removal - HiJackThis log

**TriciaLeigh** · 19-12-2005

I ran AdAware and Spybot before running HiJack This.
Thanks in advance for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 5:52:17 PM, on 12/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\apier32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office 2003\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\tricia\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\znrxr.dll/sp.html#10001%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0F2536AB-254C-489F-1F19-D52DA6A69AED} - C:\WINDOWS\sdkom.dll
O2 - BHO: Class - {4A50B344-6073-9580-C21C-5651421BA97D} - C:\WINDOWS\system32\appzp32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AOL Music Now] "C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apicp32.exe] C:\WINDOWS\system32\apicp32.exe
O4 - HKLM\..\Run: [crnj.exe] C:\WINDOWS\system32\crnj.exe
O4 - HKLM\..\Run: [2C.tmp.exe] C:\DOCUME~1\dave\LOCALS~1\Temp\2C.tmp.exe
O4 - HKLM\..\Run: [ippc.exe] C:\WINDOWS\system32\ippc.exe
O4 - HKLM\..\Run: [ielk32.exe] C:\WINDOWS\ielk32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\Software\..\Telephony: DomainName = AEROCOMPUTING.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

**VopThis** · 20-12-2005

First move Hijackthis out of the TEMP folder (or Desktop) and put it in a permanent folder somewhere:

Create a new folder in your C: Drive. Name it HJT (or HijackThis) such as C:\Program Files\HJT, C:\HJT and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder. This way you can undo any changes if something goes wrong.

Please disable the following application(s), as it/they may hinder the removal of some entries. You can re-enable them after your computer is clean.

Spybot Search & Destroy (Teatimer)

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Disable Microsoft AntiSpyware

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.

You have a nasty About:Blank infection. Fixing this requires several cleanup tools to be downloaded for later use.

Download the following tools:

Download the latest version of CWSHredder to your desktop from here:
http://cwshredder.net/bin/CWShredder.exe

We will use this application a little later on in the process.
Initially, run it ONLY to check for updates.

Download About:Buster from one of these links:

http://majorgeeks.com/download4289.html

Unzip it to your desktop.
Initially, run AboutBuster 5.0 and press ‘Update’ to make sure you have the latest reference file version.
Do not run the actual scan/fix until instructed below.

You will run About:Buster while you are in Safe Mode.
It will create a log in addition to cleaning your system. Post that log into your next reply in this thread.

Download Clean.bat to your desktop: for later use .
http://www.thatcomputerguy.us/downloads/clean.bat

DISCONNECT FROM THE INTERNET
During the fix do NOT connect to the Internet (turn your modem off or disconnect your internet connection wire).
Unless you can memorize these instructions, it would be a good idea to print them out or save these instructions to a file on your desktop (NOTEPAD).

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\znrxr.dll/sp.html#10001%everything4find.com
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {0F2536AB-254C-489F-1F19-D52DA6A69AED} - C:\WINDOWS\sdkom.dll
O2 - BHO: Class - {4A50B344-6073-9580-C21C-5651421BA97D} - C:\WINDOWS\system32\appzp32.dll

O4 - HKLM\..\Run: [2C.tmp.exe] C:\DOCUME~1\dave\LOCALS~1\TEMP\2C.tmp.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Run Clean.bat

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

*** Re-run CLEANMGR.EXE once you have regained the full functional use of your PC.

Navigate to or locate the following Files and Folders:
- using Windows Explorer: right click on ‘My Computer’>Explore) or using Start (button)>Search …

Delete these Files (if found):
C:\WINDOWS\apier32.exe

Delete these Folders (if found) - preferably using Add/Remove Programs where possible:
None specified.

Now, run AboutBuster and select ’Begin Removal’. Continue running the scan until it shows clean.

Post a copy of the scan results, which will appear in the AboutBuster folder.

Next, run CWShredder
-Click on the: ‘Fix’ button
-Follow the prompts, and press OK

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

**TriciaLeigh** · 20-12-2005

A big thank YOU....I followed your instructions and things appear to be back to normal.

Here are the logs you requested me to post....

AboutBuster 5.1, reference file 33
Scan started on [12/20/2005] at [12:49:19 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\ptbpo.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:50:27 PM

AboutBuster 5.1, reference file 33
Scan started on [12/20/2005] at [12:51:15 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:52:19 PM

-----------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:08:11 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\dave\LOCALS~1\Temp\2C.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\tricia\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\znrxr.dll/sp.html#10001%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jipvf.dll/sp.html#37049%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0F2536AB-254C-489F-1F19-D52DA6A69AED} - C:\WINDOWS\sdkom.dll
O2 - BHO: Class - {4A50B344-6073-9580-C21C-5651421BA97D} - C:\WINDOWS\system32\appzp32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AOL Music Now] "C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apicp32.exe] C:\WINDOWS\system32\apicp32.exe
O4 - HKLM\..\Run: [crnj.exe] C:\WINDOWS\system32\crnj.exe
O4 - HKLM\..\Run: [2C.tmp.exe] C:\DOCUME~1\dave\LOCALS~1\Temp\2C.tmp.exe
O4 - HKLM\..\Run: [ippc.exe] C:\WINDOWS\system32\ippc.exe
O4 - HKLM\..\Run: [ielk32.exe] C:\WINDOWS\ielk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\Software\..\Telephony: DomainName = AEROCOMPUTING.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

**VopThis** · 21-12-2005

Please post the latest HJT log since your AboutBuster fix was effected after that log. There may be some remaining issues that may need to be addressed.

**TriciaLeigh** · 23-12-2005

Originally Posted by VopThis

Please post the latest HJT log since your AboutBuster fix was effected after that log. There may be some remaining issues that may need to be addressed.

---------
Logfile of HijackThis v1.99.1
Scan saved at 9:47:13 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\tricia\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AOL Music Now] "C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apicp32.exe] C:\WINDOWS\system32\apicp32.exe
O4 - HKLM\..\Run: [ippc.exe] C:\WINDOWS\system32\ippc.exe
O4 - HKLM\..\Run: [ielk32.exe] C:\WINDOWS\ielk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\Software\..\Telephony: DomainName = AEROCOMPUTING.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

**TriciaLeigh** · 23-12-2005

I just ran Spybot again, and I'm still getting a problem showing up that cannot be removed by Spybot. I ran through all the steps again that were posted by VopThis this morning and I'm still getting a 'CoolWWWSearch.HomeSearch' found by Spybot that cannot be fixed.

**VopThis** · 23-12-2005

Scan unknown files for viruses/malware
Please go to this website and submit the following files (copy and paste each full file PATH) for possible Viruses/Trojans detection analysis and immediate feedback:
http://virusscan.jotti.org/

Submit these files :

C:\WINDOWS\system32\apicp32.exe
C:\WINDOWS\system32\ippc.exe
C:\WINDOWS\ielk32.exe

Let us know what the results were for the file(s).

**TriciaLeigh** · 23-12-2005

None of these files were found.

**VopThis** · 24-12-2005

Download: HomeSearchfix and unzip it to your desktop but do not use it yet.
We will use it later in safe mode.
http://users.telenet.be/marcvn/regfiles/HSfix.zip

BOOT into SAFE MODE.

Re-run CWShredder and AboutBuster.

Double-click HomeSearchfix.reg to merge the info to the registry.

REBOOT into NORMAL MODE.

Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

Reboot
Post a new HJT log with any detailed feedback from the scans. How are things now behaving: any new or remaining apparent issues?

**TriciaLeigh** · 29-12-2005

I did as instructed...Spybot did a scan at bootup this morning....there is still the CoolWWWSearch.HomeSearch found but unremoveable by Spybot. The pop-ups have been taken care of, but my PC does seem slower and appears to be bogging down the network.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:57:06 PM, 12/28/2005
+ Report-Checksum: AC627857

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0ECEBD98-802F-9B4D-7308-C983A18EDBEC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C1CBC17-3C15-343F-1E7C-D8F447935C05} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4FBFBE36-BC17-CAB4-CA0B-1F18DD30B292} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5FA0CF1E-5FF7-5212-6D7D-5710E683BABB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{952AA538-C1D7-30E5-8DC6-1A12E2F736A2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EDE4719B-AC04-9EE1-7AEA-7712560B2832} -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.7:C:\Documents and Settings\adam\Application Data\Mozilla\Firefox\Profiles\odc6tbor.default\coo kies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@data4.perf.overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@e-2dj6wjkyuicpwgp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\dave\Cookies\dave@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\dave\Local Settings\Temp\29.tmp -> Hijacker.Spywad.n : Cleaned with backup
C:\Documents and Settings\dave\Local Settings\Temp\2C.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\dave\Local Settings\Temp\2C.tmp.exe -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\dave\Local Settings\Temp\ASearchAssist.dll -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\nate\Cookies\nate@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\nate\Cookies\nate@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\nate\Cookies\nate@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\randy\Cookies\randy@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\randy\Cookies\randy@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\randy\Cookies\randy@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@e-2dj6wjlygodzelp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@e-2dj6wjmiepczoho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\tricia\Cookies\tricia@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.18:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.28:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.71:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.74:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.75:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.76:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.77:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.80:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.81:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.82:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.83:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.84:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.85:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.86:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.87:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.88:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.89:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.90:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.99:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.100:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.101:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.102:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.103:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.104:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.105:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.106:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.118:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.119:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
:mozilla.123:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.124:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.125:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.126:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.127:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.141:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.142:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.143:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.144:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.172:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.174:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.183:C:\Documents and Settings\tricia\My Documents\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\WINDOWS\atllr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlvf.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\ipfq.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\KB905749.log:ubrjt -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcnw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netoo.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\sdkmn32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\setuplog.txt:auitp -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\crhs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crll.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\ieja32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieqt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieza32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netdy32.exe -> Downloader.Agent.td : Cleaned with backup
C:\WINDOWS\system32\wincq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\systq32.exe -> Trojan.Agent.bi : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 9:15:09 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1135443889\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\tricia\My Documents\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AOL Music Now] "C:\PROGRA~1\AOLMUS~1\AOLMusicNow.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135443889\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\Software\..\Telephony: DomainName = AEROCOMPUTING.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AEROCOMPUTING.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{02073B16-0A37-49FA-904F-C6D4DC751E5A}: NameServer = 172.20.0.5,172.20.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

HomeSearch Assisant removal - HiJackThis log

HomeSearch Assisant removal - HiJackThis log

Similar Threads

Homesearch Removal

Homesearch Removal Assistance

Homesearch Removal Help

about:blank, Homesearch Removal Assistance

Homesearch Removal-Help