Re: Hijacking

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Jon Erlandson (jerlands_at_NOSPAM.sbcglobal.net)
Date: 01/18/05 

Date: Tue, 18 Jan 2005 12:39:07 -0600

Remove Home Search Assistant
http://www.short-media.com/review.php?r=259

"Arioch" <Arioch@discussions.microsoft.com> wrote in message
news:7AFACDD4-7597-474D-8457-077E6FCE8BE4@microsoft.com...
> Thanks Guys
> I have removed the hijack but i am still being bombarded with it each time
> i
> open
> Inter net Explorer.
> I have found a program listed in my Ad Remove programs listing called Home
> Search
> Assistant which might be the suspect programme? because i am getting
> search
> engine
> pop ups every time i do a search and pop ups called only the best.
>
> I have tried uninstalling Home Search but all it does is takes me to a
> website to allow
> me to download the uninstall software, can any body tell me what i need to
> look for in
> the Registry and on my drive to enable me to delete it?
>
> many thanks
>
> "Arioch" wrote:
>
>> Hi
>> My internet Explorer has been hijacked and i seem to keep getting a
>> search
>> page
>> as my blank page.
>> I have run programs like adaware, spy stopper and highjack this.
>> still i am getting this annoying page.
>> When i have run Highjack this to clear it, on opening explorer i get a
>> pop up
>> which resets my home page to the search page.
>> Can somebody help me please!
>>
>> I am using XP with SP2
>>
>> Here is the Hijack this log file...
>>
>> Logfile of HijackThis v1.97.7
>> Scan saved at 09:06:57, on 15/01/2005
>> Platform: Windows XP SP2 (WinNT 5.01.2600)
>> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>>
>> Running processes:
>> C:\WINDOWS\System32\smss.exe
>> C:\WINDOWS\SYSTEM32\winlogon.exe
>> C:\WINDOWS\system32\services.exe
>> C:\WINDOWS\system32\lsass.exe
>> C:\WINDOWS\system32\svchost.exe
>> C:\WINDOWS\System32\svchost.exe
>> C:\WINDOWS\Explorer.EXE
>> C:\WINDOWS\system32\spoolsv.exe
>> C:\WINDOWS\System32\Ati2evxx.exe
>> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\passrv.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\Firewall\PavFires.exe
>> C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\pavsrv51.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\psimsvc.exe
>> C:\WINDOWS\System32\svchost.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\AVENGINE.EXE
>> C:\WINDOWS\d3md32.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\apvxdwin.exe
>> C:\WINDOWS\SOUNDMAN.EXE
>> C:\Program Files\Ahead\InCD\InCD.exe
>> C:\Program Files\Evidence Eliminator\ee.exe
>> C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
>> C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\SRVLOAD.EXE
>> C:\PROGRA~1\INCRED~1\bin\IMApp.exe
>> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
>> C:\Program Files\Admanager Controller\AdManCtl.exe
>> C:\WINDOWS\system32\appez.exe
>> C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
>> C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
>> C:\WINDOWS\System32\svchost.exe
>> C:\Program Files\Panda Software\Panda Platinum Internet
>> Security\WebProxy.exe
>> C:\WINDOWS\system32\ctfmon.exe
>> C:\Program Files\IncrediMail\bin\IncMail.exe
>> C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
>> D:\downloaded\spyware\Hijackthis\HijackThis.exe
>>
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
>> http://www.vanessa-mae.pwp.blueyonder.co.uk
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
>> about:blank
>> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>> res://C:\WINDOWS\cqoxq.dll/sp.html#44768
>> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
>> Arioch's
>> Main
>> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
>> Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
>> O2 - BHO: (no name) - {9A8194E4-E89A-F96E-41AC-3B95DC66C7C0} -
>> C:\WINDOWS\system32\appzy.dll
>> O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
>> Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
>> O3 - Toolbar: &Yahoo! Companion -
>> {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
>> C:\Program Files\Yahoo!\Messenger\ycomp.dll
>> O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
>> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
>> O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
>> O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
>> O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
>> O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
>> O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence
>> Eliminator\ee.exe /m
>> O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
>> Files\Java\j2re1.4.2_03\bin\jusched.exe
>> O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
>> Hardware\Keyboard\type32.exe"
>> O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program
>> Files\RivaTuner\RivaTuner.exe" /S
>> O4 - HKLM\..\Run: [Farces & Attrapes] C:\Program Files\eMule\Temp\Emule
>> v0.42D Upload Limit Crack Patcher By Maf.exe \farces
>> O4 - HKLM\..\Run: [SoundControl] C:\WINDOWS\System32\smrss.exe
>> O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil
>> /RemAdvDef /Migration32
>> O4 - HKLM\..\Run: [imjpmig] D:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG
>> /Migration /SetPreload
>> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>> Files\QuickTime\qttask.exe"
>> -atboottime
>> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
>> Files\Real\Update_OB\realsched.exe" -osboot
>> O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda
>> Platinum Internet Security\Inicio.exe"
>> O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda
>> Platinum
>> Internet Security\APVXDWIN.EXE" /s
>> O4 - HKLM\..\Run: [appez.exe] C:\WINDOWS\system32\appez.exe
>> O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager
>> Controller\AdManCtl.exe
>> O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
>> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
>> Shared\ccApp.exe"
>> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
>> Shared\ccRegVfy.exe"
>> O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program
>> Files\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
>> O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
>> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
>> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
>> Files\Adobe\Calibration\Adobe Gamma Loader.exe
>> O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB
>> Plus\Driver\WATCH.exe
>> O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
>> Files\Adobe\Acrobat
>> 6.0\Distillr\acrotray.exe
>> O8 - Extra context menu item: &Add animation to IncrediMail Style Box -
>> C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
>> O8 - Extra context menu item: E&xport to Microsoft Excel -
>> res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
>> O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
>> O9 - Extra button: ICQ Lite (HKLM)
>> O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
>> O9 - Extra button: Yahoo! Messenger (HKLM)
>> O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
>> O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda
>> platinum internet security\pavlsp.dll
>> O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
>> http://download.yahoo.com/dl/installs/yinst0309.cab
>> O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX
>> Player) -
>> http://www.cult3d.com/download/cult.cab
>> O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
>> Installation Engine) -
>> http://office.microsoft.com/officeupdate/content/opuc.cab
>> O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
>> http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
>> O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
>> Class) -
>> http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
>> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
>> http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093187653344
>> O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
>> http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38221.3499074074
>> O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
>> http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
>> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
>> Object) -
>> https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>> O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
>> http://www2.incredimail.com/contents/setup/downloader/imloader.cab
>>
>>
>>
>> Many thanks

Quantcast