windows ME home search removal help?

**albertovo7** · 05-10-2004

My friends computer has been highjacked with home search. Here is a log file. Can anybody help?

Logfile of HijackThis v1.98.2
Scan saved at 11:41:11 AM, on 10/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ADDQY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ESOFT\EBOARD\EBOARD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\E_S4I2K1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\WINDOWS\WINSG32.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.1.EXE
C:\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
C:\WINDOWS\DESKTOP\ABOUTBUSTER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D45147C0-D462-2383-1F5F-CA01325DFB27} - C:\WINDOWS\IPKD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\SYSTEM\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O7 "EPUSB1:" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [WINSG32.EXE] C:\WINDOWS\WINSG32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [D3EM.EXE] C:\WINDOWS\D3EM.EXE
O4 - HKLM\..\RunServices: [IPRG32.EXE] C:\WINDOWS\IPRG32.EXE
O4 - HKLM\..\RunServices: [ADDJM32.EXE] C:\WINDOWS\SYSTEM\ADDJM32.EXE
O4 - HKLM\..\RunServices: [ADDQY.EXE] C:\WINDOWS\ADDQY.EXE
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\djvqxncu.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...a29296baabe1d6
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...etslv32_EN.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = pacbell.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 206.13.28.12,206.13.31.12

**owen** · 05-10-2004

1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

3. You may want to print out these instructions for further reference when completing the following steps.

4. Ensure you are showing Hidden Files and Folders as per instructions here.

5. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

6. Restart Hijack This and put a checkmark next to the following entries and click Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\atwos.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D45147C0-D462-2383-1F5F-CA01325DFB27} - C:\WINDOWS\IPKD.DLL
O4 - HKLM\..\Run: [WINSG32.EXE] C:\WINDOWS\WINSG32.EXE
O4 - HKLM\..\RunServices: [D3EM.EXE] C:\WINDOWS\D3EM.EXE
O4 - HKLM\..\RunServices: [IPRG32.EXE] C:\WINDOWS\IPRG32.EXE
O4 - HKLM\..\RunServices: [ADDJM32.EXE] C:\WINDOWS\SYSTEM\ADDJM32.EXE
O4 - HKLM\..\RunServices: [ADDQY.EXE] C:\WINDOWS\ADDQY.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\djvqxncu.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6

Then delete the following files and folders:

C:\WINDOWS\IPKD.DLL
C:\WINDOWS\WINSG32.EXE
C:\WINDOWS\D3EM.EXE
C:\WINDOWS\IPRG32.EXE
C:\WINDOWS\SYSTEM\ADDJM32.EXE
C:\WINDOWS\ADDQY.EXE

7. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with Adaware and let it remove any bad files found.

9. Download SSS from here. Run the program and on the items to clear tab select both "Temporary Files" options and the "Recycle Bin" option. Then click Clear Selected Items.

10. Reboot to normal mode

11. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

Post a fresh HijackThis log and the AboutBuster report back here please.

windows ME home search removal help?

windows ME home search removal help?

Similar Threads

Home Search Assistant/Seach Extenter/Shopping Wizard Removal

home search assistant/ search extender/ shopping wizard driving me crazy!

Need Help With Removal Of Home Search Assistent,etc

REMOVAL OF home search assistent

Home Search Removal Help Needed (Resolved)